Nonprofit Law Resource Library
Liability, Risk Management & Insurance
Massachusetts Data Security Law Requirements
This article was authored by Tracey Bolotnick, an Attorney at Hurwit & Associates and was published to the Hurwit & Associates website on October 5, 2011. She can be contacted at (617)630-6900 or firstname.lastname@example.org for further information on this subject.
Many of our clients who are based in Massachusetts or conduct operations in the Commonwealth have asked recently about the relatively new regulations adopted by the Massachusetts Office of Consumer Affairs and Business Regulation ("OCABR") regarding data security. The regulations, which require the adoption and implementation of data privacy policies to safeguard sensitive information, were passed in an effort to reduce identity theft, and do not exempt nonprofit organizations.
The regulations apply to any organization that holds "personal information" of a Massachusetts resident (even if the organization is located outside of Massachusetts). “Personal information" for these purposes include a person's first name and last name or first initial and last name in combination with that person's social security number, driver's license number (or other state-issued identification number), or financial account number (or credit or debit card number with or without any required password, PIN etc.). In practice, this will cover most nonprofit organizations that have employees (whose social security numbers will have been collected on employment documents) and/or accept donations from the public via check or credit card.
To comply with the regulations, nonprofit organizations that hold personal information must adopt and implement a written "comprehensive information security program ("CISP"). The CISP should be customized to address the particulars of each organization, but must cover certain standard items. Among these are the appointment of a data security coordinator, restrictions on access to hard copy data containing personal information, establishment of a security system covering computers used by the organization, encryption for electronically transmitted personal information, provision for training employees on data security procedures, and procedures for ensuring protective practices by third party vendors who have access to the organization’s personal information.
In the event of a "breach of security," (defined as any unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information that creates a substantial risk of identity theft or fraud), the regulations require the organization to notify the effected individual, the Massachusetts Attorney General and the OCABR. The notifications must provide specific, detailed information about the breach and the corrective procedures taken.
The OCABR provides guidance on how to craft a CISP and what to include in breach notices on its website at: http://www.mass.gov/ocabr/docs/idtheft/sec-plan-smallbiz-guide.pdf and http://www.mass.gov/ocabr/docs/idtheft/compliance-checklist.pdf.