• Home
• Firm Information
• Practice Areas
• Firm Directory
• News / Events
• WomenatLaw
• Careers
• Contact
• Search

• Firm News
• 3/16/10 :
• Hanify & King atLaw Winter 2010
• 1/28/10 :
• Hanify & King Names Three New Shareholders
• 8/12/09 :
• Hanify & King atLaw Summer 2009
• 7/01/09 :
• Hanify & King wins Bankruptcy Trial Regarding Debtors’ Dispute on Loans Made on Marlborough, Mass. Properties
• 5/29/09 :
• Stephanie Scruggs Named Hanify & King Shareholder
• More News

atLaw

Our Employment Law group continues to monitor developments under the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 CMR 17.00, commonly known as the new “privacy regulations.” The privacy regulations, which supplement the identity theft laws passed in 2007 (Mass. G.L.c. 93H and 93I), are slated to take effect on January 1, 2010. The regulations require individuals, businesses, and governmental agencies to use certain safeguards when collecting, maintaining, transmitting, disposing of, or destroying records (electronic or paper or otherwise) that contain personal information of Massachusetts residents. Personal information is a combination of a person’s name and a Social Security number, bank account number, or credit card number. The regulations apply to all entities conducting business in Massachusetts, regardless of their size.

Even though the regulations were initially publicized more than one year ago, and chapter 93H and 93I were passed into law two years ago, many clients have not yet begun the work necessary to ensure that they are compliant. For example, many companies have not yet surveyed the information they have to determine where and how they hold “personal information,” whether they adequately protect that information (particularly when stored on portable devices or transmitted wirelessly or on public networks), and what they do with the information once they no longer need it.

Under the regulations, every person who stores personal information must have a Written Information Security Program (WISP). The WISP should include certain administrative, technical, and physical safeguards that will be used to keep personal information safe, secure, and confidential. Although a WISP will be different for each company, it should include the following:

• designation of an employee to maintain the WISP;
• guidelines for evaluating and addressing reasonably foreseeable internal and external risks to security;
• security policies applicable to current and former employees;
• appropriate disciplinary measures for violations;
• method for verifying that third party service providers also protect personal information;
• limits on the amount of personal information that is collected and maintained;
• other reasonable procedures or restrictions, depending upon the needs and size of the business; and
• documenting any security breaches and responsive actions.

It is also a good time to draft or update other related policies, such as document or email retention policies, confidentiality policies, and policies governing employees’ use of company property, including laptops and Blackberries. In situations where personal information might have been compromised, Hanify & King’s lawyers are available to help employers determine the appropriate course of action, and will guide employers through the required steps of notifying affected individuals and various governmental agencies.

More articles found in this edition of atLaw:

• Partner’s Letter
• Serving Our Clients in Difficult Economic Times
• Good Money After Bad? Deepening Insolvency—An Update
• Don’t Let One Bad Apple Spoil the Whole Bunch
• First, Pay All Wages
• Personal Information Protection
• Harold B. Murphy Joins American College of Bankruptcy
• Stephanie Scruggs Named Hanify & King Shareholder