Home > Articles

Data Security and Identity Theft: New Privacy Regulations That Affect Your Business

  • Print
  • + Share This
Companies that store or maintain personal information about Massachusetts residents have only until March 1, 2010 to comply with Massachusetts comprehensive data security regulations. These regulations, which are by far the most technically strident and far-reaching of any state, purport to affect virtually every business, regardless of location. Legal expert Robert McHale asks, “Are you in compliance?”
Like this article? We recommend

Effective March 1, 2010, all businesses that own or license personal information of Massachusetts residents are required to comply with comprehensive information security regulations adopted by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR).

The regulations—entitled “Standards for the Protection of Personal Information of Residents of the Commonwealth”—are by far the most strident and far-reaching of any information security regulations of any state to date.

The regulations are designed to insure the security and confidentiality of personal information of Massachusetts residents; to protect against anticipated threats to the security or integrity of such information; and to protect against the unauthorized access to or use of such information in a manner that may result in substantial harm or inconvenience to any consumer.

Because the regulations affect virtually every entity conducting business in Massachusetts, it is imperative that companies implement proper information security programs to comply with the regulations.


In 2007, Massachusetts joined 38 others states and enacted data breach notification laws. Chapter 93H requires entities that own or license personal information of Massachusetts residents to publicly report the unauthorized acquisition or use of compromised data.

Significantly more aggressive than similar legislation from other states, Chapter 93H also mandates the adoption of detailed information security regulations for businesses in order to reduce the number of security breaches and thereby the need for data breach notifications.

The resulting regulations (201 CMR [sec] 17.00 et seq.) establish minimum standards by which a company is required to safeguard the integrity of personal information it handles.

  • + Share This
  • 🔖 Save To Your Account