Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I use third-party marketing automation tools that collect personal information in Massachusetts? What are the requirements?

Third-Party Marketing Automation Tools and Personal Information in Massachusetts

If you are using third-party marketing automation tools that collect personal information in Massachusetts, you must comply with the state’s data security regulations. Specifically, you must comply with the Computer System Security Requirements outlined in 201 CMR 17.04 and 965 CMR 3.04.

Under these regulations, you must establish and maintain a security system that, at a minimum, includes the following elements:

  1. Secure user authentication protocols, including control of user IDs and other identifiers, a reasonably secure method of assigning and selecting passwords, periodic changing of passwords, and restricting access to active users and active user accounts only.
  2. Secure access control measures that restrict access to records containing personal information to those who reasonably need such information to perform their job duties, and assignment of a unique user ID plus a password, which is not vendor supplied, to each person with computer access.
  3. Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
  4. Reasonable monitoring of systems for unauthorized use of or access to personal information.
  5. Encryption of all personal information stored on laptops or other portable devices.
  6. For files containing personal information on a system that is connected to the Internet, reasonably up-to-date firewall protection and operating system security patches.

Additionally, you must develop, implement, maintain, and monitor a Written Information Security Program (WISP) designed to safeguard the personal information of residents of Massachusetts contained in your records. The WISP must include the following elements:

  1. Designation of an employee to design, implement, and coordinate the maintenance of the WISP.
  2. Identification and assessment of internal and external risks to the security, confidentiality, or integrity of any electronic, paper, or other records containing personal information.
  3. Reasonable steps to ensure that departing or former employees cannot physically or electronically access records containing personal information.
  4. Reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.03.
  5. Collection of information required by law and the minimum amount of personal information reasonably necessary to accomplish the legitimate governmental purpose for which it was collected.

Furthermore, every person that owns or licenses personal information about a resident of Massachusetts shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size, scope, and type of business of the person obligated to safeguard the personal information under such comprehensive information security program. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated [2.1].

Failure to comply with these regulations may result in penalties of up to $100 per day [1.1][4.1][2.2][4.2].

Therefore, if you are using third-party marketing automation tools that collect personal information in Massachusetts, you must ensure that your security system and WISP comply with the state’s data security regulations.

Source(s):
Jurisdiction

Massachusetts