Do you have any customers or clients who live in Massachusetts? What about employees? If you answered yes to either of these questions, then you had better pay attention to the new identity theft law that takes effect on March 1. It almost certainly applies to you and your business and will require that you take immediate steps to comply.
If you haven’t heard of this, you are not alone. A recent unscientific survey (i.e. I spoke with several of my friends and colleagues) reveals that few business owners are aware that this law takes effect in just over a week. Those that have heard of it had had no idea that the law applies to them.
So here’s the scoop: In just over a week, the Massachusetts Data Security Regulation, 201 CMR 17.00, goes into effect. It is arguably the most sweeping and comprehensive legislation of its kind. While some 44 states and the District of Columbia now have laws that require notice to consumers in case of a security breach (i.e. after the horse is already out of the barn), the Massachusetts regulation is aimed at prevention. It includes a comprehensive road map that requires assessing risks, creating policies and procedures to secure sensitive data, and regular monitoring and review of procedures to insure that they remain current and effective.
The impetus for these identity theft laws was the sudden wave of high profile security incidents that affected millions of consumers at major retailers and other companies that handle sensitive data, including TJX, BJ’s and DSW. But while those cases affected large, publicly traded companies, the new law here in Massachusetts does not discriminate between large and small businesses. Practically every business that comes into contact with a consumer or employee’s personal information (social security number, driver’s license number, bank or credit card number, etc.) will need to comply. That includes car dealerships, supermarkets, the local pizza shop and hairdresser and even your dog’s vet.
So what should you do now? The first step is to get an understanding of the law and what is required. My previous article is a good starting point. You can also check out the information at Office of Consumer Affairs and Business Regulation which drafted the regulations. And certainly, you would be well advised to consult with a legal professional who is familiar with the law and the process of preparing a compliance plan.
If you would like more information on this topic, please call me at 781-707-3883 or use the “Contact Me” page listed above.