Does your business accept checks or credit cards?
If your business accepts checks or credit cards from Massachusetts residents, this article is definitely for you. Even if you live in a state where there are currently no requirements for this type of security, something similar may be coming to your state soon. So see what plan Massachusetts is putting into place. No matter where your business is located, safeguarding your customers' personal information just makes good business sense.
Effective March 1, 2010, every organization who collects, owns or licenses personal information about a resident of Massachusetts should be in full compliance with 201 CMR 17. This new personal data protection law establishes a standard set of regulations for businesses to protect and store Massachusetts residents' personal information. Personal information is defined under the new regulation as a resident's first name and last name, or first initial and last name, and one or more of the following:
· Social Security number· Driver's license number or state-issued ID card number· Financial account number (bank account number) or credit or debit card number (with or without any type of security or access code or password).
So this law applies to ANY BUSINESS, regardless of size, who accepts checks or credit cards.
The law requires companies to develop and implement several security safeguards, including:
· A comprehensive written information security plan (WISP) creating effective administrative, technical and physical safeguards of personal information.· Protection against any anticipated threats or hazards to the security or integrity of personal information (such as restricted physical access, computer passwords).· Policies regulating employees' ability to access and transport records outside work.· Disciplinary measures for violations of these new safeguards. MGL Chapter 93A, section 4 specifically "authorizes the Attorney General to seek injunctive relief against the organization involved in the unauthorized act or practice and allows a court to impose a $5,000 civil penalty for each violation". If "violation "is interpreted to mean the unauthorized access to a single individual's personal information, potential damages could be enormous.
It's not as daunting a task as it sounds. Most of the procedures are fairly simple to implement. Here are links to the law and WISP guidelines.If you would like more information or assistance, you can contact a private company who specialize in helping you implement an acceptable plan.
Thank you to David Javaheri at http://r20.rs6.net/tn.jsp?t=zlc7kgdab.0.0.tnz777cab.0&ts=S0464&p=http%3A%2F%2Fwww.compliancehelp.net%2F&id=preview for his help with this article.