Who Is Subject to the Regulations?
The regulations apply to all persons who own, license, store, or maintain personal information about a Massachusetts resident. The regulations specifically apply to:
- Natural persons
- Corporations (or other business entities)
What Is “Personal Information”?
“Personal information” is defined to include a Massachusetts resident’s first and last name (or first initial and last name) combined with any one or more of the following elements relating to such resident:
- Social Security number
- Driver’s license number or state-issued identification card
- Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number, or password
What Type of “Records” Are Included?
The regulations define “records” to include any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded, regardless of physical form or characteristics.
The following records therefore are subject to the regulations:
- Personnel records
- Payroll records
- Electronic records
- Credit card information
- Customer records
How Is Compliance Judged?
The regulations attempt to strike a balance between the legitimate needs of businesses seeking to avoid costly and burdensome administrative and technical requirements, and the privacy and security interests of Massachusetts residents.
The regulations have therefore adopted a “reasonableness” standard by which to measure compliance. For example, persons must use “a reasonably secure method of assigning and selecting passwords,” adopt “reasonable restrictions upon physical access to records containing personal information,” and employ “reasonably up-to-date firewall protection” and “reasonably up-to-date versions of system security agent software”.
Further, compliance with the regulations shall be evaluated, taking into account the entity’s size, scope, and amount of resources, together with the amount of stored data and the need for security and confidentiality of both consumer and employee information.