Preventing Identity Theft — The New Employer Duty

A tough new data protection law is on the books and will soon require virtually all Massachusetts businesses to implement comprehensive policies to protect against identity theft. The statute applies so broadly that employers of every size and shape will be subject to it. All must create, implement, monitor and regularly update internal data protection procedures and encrypt information that is either transmitted via the internet or stored on portable devices.

Though the data security law became effective in October 2007, enforcement has been delayed until March 1, 2010 to permit Massachusetts companies time to become compliant. Doing so is a daunting task, since the statute’s broad reach captures virtually every every piece of what’s called “personal information.” That phrase refers to a combination of an individual’s name and either a social security number, driver’s license number, or financial account/credit card number or password. Employers must be certain to protect against both external data thefts and internal breaches. Not surprisingly, the latter sort is far more common. [Read more…]