Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I share personal information about my customers with third parties in Massachusetts? What are the requirements?

Based on the documents provided, sharing personal information about customers with third parties in Massachusetts is allowed, but it must be done in compliance with the state’s regulations.

Requirements for Sharing Personal Information with Third Parties in Massachusetts

According to 201 CMR 17.03, every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards that are appropriate to the size, scope, and type of business of the person obligated to safeguard the personal information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.

Furthermore, every comprehensive information security program shall include, but shall not be limited to:

  • Designating one or more employees to maintain the comprehensive information security program;
  • Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information;
  • Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises;
  • Imposing disciplinary measures for violations of the comprehensive information security program rules;
  • Preventing terminated employees from accessing records containing personal information;
  • Overseeing service providers by taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with 201 CMR 17.00 and any applicable federal regulations; and requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information;
  • Reasonable restrictions upon physical access to records containing personal information, and storage of such records and data in locked facilities, storage areas or containers;
  • Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks;
  • Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information;
  • Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

Therefore, if you want to share personal information about your customers with third parties in Massachusetts, you must ensure that you have a comprehensive information security program in place that meets the requirements outlined in 201 CMR 17.03.

Exceptions

Exceptions to the requirements outlined in 801 CMR 3.00 include criminal offender record information, intelligence or evaluative information, and any information contained in a public record.

Additional Information

Other regulations that may be relevant to sharing personal information with third parties in Massachusetts include 760 CMR 8.03, which outlines requirements for the collection and maintenance of personal data, 803 CMR 11.05, which outlines procedures for requesting criminal offender record information, 840 CMR 6.10, which outlines access to personal data in retirement files by the general public, and 205 CMR 103.10, which outlines requests for protecting confidential information.

In summary, you can share personal information about your customers with third parties in Massachusetts, but you must have a comprehensive information security program in place that meets the requirements outlined in 201 CMR 17.03. Additionally, there are exceptions to the requirements outlined in 801 CMR 3.00.

Jurisdiction

Massachusetts