201 CMR 17.00, i.e., the so-called Massachusetts encryption law, makes it clear that any businesses (note, the government is excluded from this requirement) that collect personal information must also protect it. Some of these measures are physical, like lockable file cabinets to protect paper documents.
Others are data-centric, like the use of disk encryption software such as AlertBoot for computers–especially laptop computers. (In fact, the law has gone out of its way to point out that laptop computers that contain private information must be encrypted.)
Does your business need to comply with this new law? Chances are the answer is yes, even if you don’t collect customer information, not even credit card numbers (talk to your lawyer for details. Obviously, this is not legal advice.)
According to the law, a person is:
“…a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.” [http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf]
In other words, pretty much anything that has the ability to conduct business is a “person” for the purposes of this personal information law.
Also, personal information is:
A first name and last name or first initial and last name, combined with any of the following (a name itself is not considered personal info):
Social Security number
Driver’s license number or state-issued identification card number
Financial account number or credit or debit card number
I formatted the above for easier reading; the actual text in the law can be at the end of this post. Also, the law makes it clear that the above is not considered personal information if it was collected legally from publicly available sources.
What The Definitions Mean To You
Anyhow, as a business you probably have employees. These employees get paid, which means you have to collect their Social Security number for tax reasons.
So, even if you don’t collect any customer information, you’ll have to make sure you’re complying with the law, which will go into effect on January 1, 2010. As far as I can tell, there will be no more extensions, since it’s already been pushed from January 1, 2009.
Depending on how big your business is, and how many customers you have, it may not be to early to start looking into data encryption software and file cabinets with locks.
Definition of personal information as found in the law
“…a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.”