After several postponements and amendments, Massachusetts regulations 201 CMR 17, Standards for Protection of Personal Information of Residents of the Commonwealth, went into effect today. These regulations create very specific obligations for businesses that own or license personal information about any Massachusetts resident, regardless of the size of the business or the number of employees that business employs. All businesses are required to be in full compliance with the regulations by March 1, 2010.

The first step business must take to get into compliance with the new regulations is to implement an information security program. This program must be in writing and must outline various steps the business will take to protect personal information, whether that information is stored electronically or in paper documents. The regulations require numerous specific provisions that must be included in the program, such as a secure method of assigning and selecting passwords; encryption of all data containing personal information that is transmitted wirelessly or across public networks; and maintaining reasonably up-to-date firewall and malware protection.

Once they have their program in place, the next step businesses must take is to educate employees who handle personal information about their role in protecting that information. Additionally, businesses that retain third-party vendors such as payroll administrators or document disposal companies must take reasonable steps to ensure those vendors are properly safeguarding personal information.

Royal & Klimczuk, LLC continues to conduct seminars detailing businesses’ obligations under the new identity theft regulations and how businesses can come into compliance with the regulations. Details on these and other seminars can be found at: http://www.rkesq.com/upcomingseminars.html.

For more information about planning for compliance, please contact Amy B. Royal, Esq. or Kimberly A. Klimczuk, Esq. at (413) 586-2288. Amy and Kimberly may also be reached by e-mail at aroyal@rkesq.com and kklimczuk@rkesq.com, respectively.