Follow Up on Massachusetts Data Privacy Law
March 2, 2010
Massachusetts attorney Michael S. Kraft was kind enough to correct me on the entry I posted last week about the state’s new data security regulations. According to Mr. Kraft, not only do organizations based in the state of Massachusetts need to draft a policy to protect personal information, but any business that has any employee or consumer customer located in Massachusetts.
I checked out his blog and also found other helpful advice for how employers can comply with these guidelines.
The new Massachusetts data security regulation goes into effect on Monday, March 1. If you have not yet begun to plan for the deadline, then likely either you are unaware of the requirements, or you are feeling overwhelmed by them. And who would blame you in light of the seemingly endless list of tasks:
- Develop a written information security plan (WISP);
- Identify all foreseeable risks in your organization by examining every nook and cranny where data enters, leaves or is stored;
- Implement security policies and procedures and train your employees
- Secure all paper and electronic records; provide encryption
- Obtain written assurances from all vendors that they are compliant
- Regularly monitor and review to insure compliance
You know that it is vitally important, both because it’s legally required and because it’s the right thing to do to protect your customers. But where to begin? Do you need professional assistance – a lawyer or specialized IT firm to accomplish this task? That really depends on the size and nature of your business, the data that requires protection and how much time and energy you are willing to devote to the process. Many businesses are probably capable of accomplishing a lot on their own. For the most part, the regulation is a straightforward recitation of the tasks needed to comply. But is that the best use of your time? Noted author and business consultant Andy Birol would caution business owners to judge very carefully those tasks that they choose to do by themselves and those that are properly delegated.