Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I store personal information about my customers in Massachusetts? What are the requirements?

Storing Personal Information in Massachusetts

Yes, you can store personal information about your customers in Massachusetts, but you must comply with the state’s data protection laws. The primary law governing the protection of personal information in Massachusetts is 201 CMR 17.00 [1.1].

Requirements for Storing Personal Information

To comply with 201 CMR 17.00, you must develop, implement, and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards appropriate to the size, scope, and type of your business, as well as the amount of stored data and the need for security and confidentiality of both consumer and employee information [1.1].

The comprehensive information security program must include, but is not limited to:

  • Designating one or more employees to maintain the comprehensive information security program;
  • Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information;
  • Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises;
  • Imposing disciplinary measures for violations of the comprehensive information security program rules;
  • Preventing terminated employees from accessing records containing personal information;
  • Overseeing service providers by taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with 201 CMR 17.00 and any applicable federal regulations;
  • Reasonable restrictions upon physical access to records containing personal information, and storage of such records and data in locked facilities, storage areas or containers;
  • Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks;
  • Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information;
  • Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information [1.1].

Purpose and Scope

201 CMR 17.00 implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own or license personal information about a resident of the Commonwealth of Massachusetts. 201 CMR 17.00 establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records [1.2].

Written Information Security Program

You must develop, implement, maintain, and monitor a Written Information Security Program (WISP) designed to safeguard the personal information of residents of the commonwealth contained in the records of your business. The WISP shall include the following elements:

  • Designation of Employee;
  • Identification and Assessment of Internal and External Risks;
  • The Auditor will take reasonable steps to ensure that departing or former employees cannot physically or electronically access records containing personal information;
  • The Auditor will take reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.03;
  • Collection of Information;
  • Access, Storage, Use, and Disclosure;
  • Monitoring;
  • Review of Program;
  • Review, Responsive Action, and Documentation of Responsive Action;
  • Destruction;
  • Employee Training [2.1].

Computer System Security Requirements

With respect to information stored and maintained in electronic form, you must establish and maintain security measuring covering your computers, including wireless systems that, at a minimum, and to the extent technically feasible, has the following elements:

  • Secure user authentication protocols;
  • Secure access control measures that restrict access to records containing personal information to those who reasonably need such information to perform their job duties, and assignment of a unique user ID plus a password, which is not vendor supplied, to each person with computer access;
  • Restricted access to computerized records containing personal information;
  • Safeguards against access by former employees;
  • Safeguards against the transmission of personal information;
  • Reasonable periodic monitoring of networks and systems for unauthorized use of or access to personal information, and recording the audit trails for users, events, dates, times, and success or failure of login;
  • Encryption of personal information stored on laptops or other portable devices [2.2].

In summary, you can store personal information about your customers in Massachusetts, but you must comply with the state’s data protection laws, including 201 CMR 17.00. This requires developing, implementing, and maintaining a comprehensive information security program that includes administrative, technical, and physical safeguards appropriate to the size, scope, and type of your business, as well as the amount of stored data and the need for security and confidentiality of both consumer and employee information.

Source(s):
Jurisdiction

Massachusetts