| User Functions |
|
|
Don't have an account yet? Sign up as a New User
|
|
|
| Mass Privacy/Identity Theft Prevention law |
 |
Monday, February 08 2010 @ 06:06 PM UTC
Contributed by: Alphalock
Views: 238
|
Will this law affect me in New Hampshire?
Massachusetts General Law 93H
Identity Theft Prevention Bill Effective March 01, 2010
In July 2007 the Massachusetts legislation passed a comprehensive identity theft prevention program which provides that Massachusetts consumers must be notified of any breach of their personal information that creates a substantial risk of identity theft or fraud as soon as practical and without reasonable delay after a breach occurs.
In October 2009 the office of Consumer Affairs filed final regulations for 201 CMR 17.00. The Attorney General is charged with enforcing the provisions of the law and can file injunctions or take other action to remedy breaches of security. Violating the terms of an injunction carries a civil penalty of $10,000 for each violation.
How does this affect locksmiths? It affects locksmiths on both sides of the equation: service provider (those that engage in commerce) and employer.
This regulation applies to those who collect and retain personal information in connection with the provision of goods or services or for the purposes of employment. Personal information is a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.
So if a locksmith performs a simple lockout and records a name and drivers license number, that locksmith must comply with these regulations.
How difficult is that? Let’s see:
If you use credit card swipe technology only, and you do not have actual custody or control over the personal information, then you would not own or license personal information with respect to THAT data. As long as you batch out such data in accordance with the Payment Card Industry standards. However, if you have employees, then keep on reading.
The law states that when a breach occurs, the Attorney General’s office must be notified. When notified, they will ask you: “Where is your Written Information Security Program?” Otherwise known as “WISP”.
If you say” What is a Wisp?” they will come down on you with all kinds of fines to help mitigate the breach.
The following is not a substitute for compliance with 201 CMR 17.00: rather, it is a useful tool to aid in the development of a written information security program for a business that handles “personal information”.
Does the WISP include administrative, technical, and physical safeguards for Personal Information protection?
Have you identified the paper, electronic and other records, computing systems, and storage media, including laptops and portable devices that contain personal information?
Have you identified and evaluated reasonably foreseeable internal and external risks to paper and electronic records containing PI? (Note: this must be in writing)
Have you evaluated the effectiveness of current safeguards in writing?
Does the WISP include regular ongoing employee training, and procedures for monitoring employee compliance?
Does the WISP include policies and procedures for when and how records containing PI should be kept, accessed, or transported off your business premises?
Does the WISP provide for immediately blocking terminated employees’ physical and electronic access to PI records (including deactivating their passwords and user names?
In your WISP, have you specified the manner in which physical access to PI records is to be restricted?
Ah Ha! Now we’re getting into locksmith domain! Physical access means locks and keys, or pushbutton locks, or biometric locks with audit control. Have I got your attention now?
201 CMR 17.00 represents the toughest data security regulations in the nation (other that the military), a comprehensive set of rules governing the way in which all employers and others engaged in commerce maintain the privacy or personal information for Massachusetts residents.
Oh, you say, but I’m not in Massachusetts.
Remember, I only provided a small checklist. If you are a third party vendor that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation, then you also have to have a written WISP. The businesses in Massachusetts already ask for a certificate of insurance: they will now also be asking for WISP compliance.
So this does affect locksmiths on both sides of the equation, after all.
Please do not take this essay as being the last word. It is incumbent upon you, as a business owner, to contact your State Representative or State Senator to obtain a copy of 201 CMR 17.00 and find out what you have to do.
|
|
|
|
|
|
