Massachusetts Data Privacy Laws And Regulations Including Written Information Security Program

Massachusetts data privacy laws require notice of security breaches, personal information disposal standards, and an owner written information security program.


Data Privacy Conference sponsored by New England Data Services,  Technical Support International, Exclusive Concepts

September 23, 2009


By Robert A. Adelson, Esq.


Massachusetts Data Privacy Laws

1. Data Security Problem in Massachusetts

  • 2007 Attack on TJX affected millions of customers
  • Since Nov. 2007, 450 breaches reported to state officials affecting 700,000 Mass. Residents (Boston Business Journal, March 2009)
  • 2. Mass. Gen. Laws chapter 93H §2 (2007)

  • State Office of Consumer Affairs and Business Regulation to adopt regulations for persons who own or license PI (see below)
  • MA state executive offices, Legislature, Judiciary, AG, Treasurer, Auditor to also adopt rules to safeguard PI
  • Objectives: security of customer information, protection against anticipated threats, unauthorized access or use of PI
  • Regulations take into account

(1) person or agency’s size

(2) scope,  type of business,

(3) amount of resources available to person or agency,

(4) amount of stored data,

(5) need for security and confidentiality of both consumer and employee information to insure security and protect against threats, unauthorized access

3. Mass. Gen. Laws chapter 93H §3 (2007)

  • Duty to report security breaches, unauthorized use of PI
  • Persons / agencies that maintain or store PI must report to owner and cooperate providing information on incident
  • Owner or licensor of PI must report to AG, Director OCABR, and affected resident
  • Notice to resident to include right to obtain police report & information on obtaining security freeze

4. Mass. Gen. Laws chapter 93I (2008)

  • Minimum standards set to dispose of records containing PI
  • Paper documents shredded, burned or destroyed; electronic erased with no possibility of reconstruction of paper or electronic records
  • Third parties who dispose must prevent unauthorized access

and unauthorized use

5. Mass. Gen. Laws chapters 93H and I – Enforcement

  • AG can bring action for violation
  • Added civil fines in 93I

Law Coverage: Personal Information

1. Personal Information (“PI”), as defined in the law

  • Mass. Resident’s name in combination with one of:
  • Soc. Security no., Driver’s lic., financial acct, credit or debit card
  • 2. Examples of those covered by the law

  • Employers with SS# of employees
  • Accountants and service providers with SS# of clients
  • Retailers with credit card information of customers

Actions required by March 1, 2010

1. Adopt a comprehensive written information security program (WISP)

2. Ensure the WISP protects personal information in both paper and electronic forms

3. Secure paper records, shredding those not retained

4. Actions for computers contain personal information

  • Provide that access is restricted
  • Provide protocols for secure user authentication
  • 5. Actions for laptops and other portable devices

  • Encryption of records on portable devices
  • Encryption of records transmitted
  • 6. Adopt standards to evaluate WISP
  • 7. Adopt standards to train personnel
  • 8. Adopt standards to discipline personnel for violations of WISP
  • 9. Bar access to information by any terminated employee

Written Information Security Program

1. Designation of employee(s) to maintain the security program

2. Identification and assessment of internal and

external risks to security

3. Development of security policies for employees with records outside office

4. Imposition of disciplinary measures for violations of WISP

5. Prevention of terminated employees access to records

6. Oversee third party service providers by steps to select and retainer providers capable of maintaining security measures to protect PI consistent with regulations

7. Restrictions on physical access to records and  storage in locked facilities, areas, containers

8. Monitoring to ensure operation of the program

9. Review of security measures at least annually and sooner if changes arise

10. Documentation of response to any security breaches

Additional Obligations for Personal Information on computers and laptops

1. Secure user authentication protocols

Control user IDs and passwords

  • Restricting access to active users only
  • Block access after number unsuccessful attempts

2. Secure access control measures

  • Restricting access to those with a need to know
  • Assign unique IDs and passwords to maintain integrity

3. Encryption of all transmitted records  containing PI

4. Reasonable Monitoring of system for unauthorized use

5. Encryption of all PI stored on laptops or portable devices

Actions required by March 1, 2012

1. Requiring third party service providers by contract to implement and maintain appropriate security measures for PI

2. Contracts with third parties entered by Mar. 1, 2010


These materials were prepared by Robert A. Adelson, Esq., Partner at Engel & Schultz, LLP, 265 Franklin Street, Suite 1801, Boston, MA 02110, (617) 951-9980.        Fax (617) 951-0048. Website: Mr. Adelson is a graduate of Boston University, Phi Beta Kappa and Northwestern University Law School in Chicago where he was a member of  Law Review.  He also has an LL.M. degree in Taxation from New York University and is a member of the Massachusetts, New York and US Tax Court Bars.

Robert Adelson began his legal career in 1977 as an associate at major New York City law firms, first Dewey Ballantine and later Weil Gotshal & Manges, before returning home to Massachusetts in 1985, where he has been a partner at several Boston firms before joining his present firm as senior business law partner in 2004.  Mr. Adelson is specialized in corporate, taxation, finance, employment, intellectual property, commercial and technology contracting law.  In those areas, he frequently represents startup and smaller companies in software, c-commerce, and other technology-based fields.  He also represents executives or consultants in employment and severance negotiations, stock, options and stockholder arrangements, incorporation and liability protection, intellectual property protection, and in vendor, client and subcontractor contracting arrangements.

Mr. Adelson’s law firm, Engel & Schultz, LLP, is a small but broad service law firm of 6 attorneys in Boston.  The firm complements Mr. Adelson’s work in business and tax law with seasoned attorneys in litigation, real estate, family and probate matters.

Mr. Adelson is a frequent speaker at business forums and author of numerous published articles including articles on employment termination and employment negotiations. For articles, see For further information on Mr. Adelson’s background, see

The speaker thanks Chris Souza, for the opportunity to speak and present to this conference arranged by New England Data Services, along with Technical Support International and Exclusive Concepts on the subject of “Massachusetts Data Privacy Laws and Regulations” at Dedham Country and Polo Club, Dedham, Massachusetts, on September 23, 2009.

The purpose of these materials are to offer outlines on the subject matter of the presentation to aid companies, consultants and professionals trying to comply with Massachusetts privacy laws and regulations.. Thus, it is hoped these materials will be informative to those in attendance.  These materials are not legal advice and not intended as any substitute for professional advice or counsel in a particular case.

Author: radelson

Robert Adelson has been a corporate and tax attorney since 1977. He began as an associate at nationally prominent New York City “mega” law firms, first at the Wall Street firm Dewey Ballantine Bushby Palmer & Wood and later at the Park Avenue firm Weil Gotshal & Manges. In 1985, Adelson returned home, where he has since established himself as a respected Boston business attorney. He has attained partner at several small and midsize Boston law firms, most recently at Lawson & Weitzen LLP and then Zimble Brettler LLP, where he was a partner from 1994 to 2004 before becoming a partner at Engel & Schultz LLP.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s