Massachusetts Privacy Laws Requiring Document Destruction 201-CMR-17
Personal information to be protected includes a person’s name and address, combined with complete social security number, driver’s license or other state-issued number, complete credit card or bank account numbers.
Companies that do keep this information will need to take some prescribed steps towards compliance. They must:
1. Establish written policies and procedures for the protection of these files, both in the electronic and physical formats.
2. Be able to justify the need for all such information kept in house. Obviously employee data is needed to for tax, 401K, and insurance withholdings. But for client records is it possible to only maintain the last four digits of a credit card number?
3. Establish robust user password requirements for the designated employee(s) to gain access to these files.
• The most complex, frequently changed password complexities possible should be in place for employees accessing this data.
• Companies need to review who can access these now protected files.
• It is advised to minimize the number of staff who would have this access.
• Companies should also consider implementing auditing tools that track who, when and what personal information was accessed.
4. Put in place a personal information security officer responsible for maintaining, updating and training company employees about personal information protection policies.
5. Make sure disciplinary measures for violations are in place.
6. Maintain hard copy files of personal information in always-locked files, with only the most minimum of access by designated employees.
7. Have in place enterprise security tools, firewalls, then server and workstation malware and antivirus protection, which are current and can be automatically updated on a regular basis.
8. Consider outsourcing this risk whenever possible – for example, transferring the responsibility for maintaining employee personal information to a certified online personal records service provider. Consider using a certified credit card processing service, with your company only inputting, but not able to record, client credit card information. 3rd party certifications for 201 CMR 17.00 must be in place before January 1st 2010.
9. Ensure that any electronic communication of this protected data, whether wireless or online, be conducted using robust encryption.
10. Ensure that any storage of this protected data on laptops be robustly encrypted by May 1, 2009. Protected data stored on PDA’s, memory sticks, CDs or other portable devices must be encrypted by January 1 2010.
11. Minimize the amount and the duration of time personal information is stored. Companies should regularly review the protected data it maintains and purge all but what was absolutely necessary to keep on file.
Security threats continue to rise, and lost information can be devastating to companies and can be an indicator that fraud is being perpetrated. As the new Massachusetts law dictates, companies who hold such information will have to take appropriate measures to safeguard privacy.
To Protect your consumer privacy, all documents must be shredded, try our economy document shredding service: