Preventing Identity Theft — The New Employer Duty

A tough new data protection law is on the books and will soon require virtually all Massachusetts businesses to implement comprehensive policies to protect against identity theft. The statute applies so broadly that employers of every size and shape will be subject to it. All must create, implement, monitor and regularly update internal data protection procedures and encrypt information that is either transmitted via the internet or stored on portable devices.

Though the data security law became effective in October 2007, enforcement has been delayed until March 1, 2010 to permit Massachusetts companies time to become compliant. Doing so is a daunting task, since the statute’s broad reach captures virtually every every piece of what’s called “personal information.” That phrase refers to a combination of an individual’s name and either a social security number, driver’s license number, or financial account/credit card number or password. Employers must be certain to protect against both external data thefts and internal breaches. Not surprisingly, the latter sort is far more common.

The data protection law has two major requirements. First, data holders — defined as any person that receives, stores or has access to personal information — must draft a comprehensive security program. The new program must name one person to maintain data protection measures, identify security risks, provide for ongoing employee training, and include policies that secure private data, among other things. Second, the law requires any person who electronically stores or transmits personal information to implement computer security systems. These must include password protection protocols, access restrictions, encryption of laptops and other portable devices, reasonable monitoring, and more.

Though it does not appear the Commonwealth will actively monitor compliance with the new law, at least at the outset, the statute requires prompt reporting of all security breaches to data owners as well as various governmental entities. Any such event might trigger review and enforcement, and policies will need to then be in place. The failure to maintain data security procedures or to report breaches is enforceable by the Massachusetts Attorney General. Civil penalties of $5,000 per violation plus charges for Attorney General investigations and enforcement lawsuits — including legal fees — can be awarded against violators.

Framingham employment lawyer Attorney Jack Merrill provides legal services to employees, employers and businesses throughout the Boston metro west and Worcester County region including Ashland, Dedham, Framingham, Franklin, Hopkinton, Maynard, Marlborough, Milford, Natick, Needham, Newton, Shrewsbury, Sudbury, Waltham, and Worcester, Massachusetts.