Many businesses may assume that their data-security compliance is appropriately handled with software and firewalls by their information technology departments. Other businesses may assume they do not need to comply because they do not collect consumer data. Such assumptions can lead to significant legal exposure.
Two new deadlines are quickly approaching that may serve as a reminder for businesses to take proactive steps to create security programs to protect certain sensitive data and guard against identity theft. The Massachusetts Data Security Regulations state that anyone who maintains or licenses personal information of any Massachusetts resident (an employee, customer, student, patient, investor, etc.) must develop, implement and maintain a comprehensive information-security program to safeguard that information. The federal Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs or "red flags" of identity theft in their day-to-day operations, take steps to prevent the crime and mitigate the damage the crime may inflict.
Compliance Deadline for Massachusetts Data Security Regulations Is March 1, 2010
The Massachusetts Data Security Regulations require every person who owns or licenses personal information about a Massachusetts resident to develop, implement and maintain a comprehensive, written information-security program. The program must contain "administrative, technical, and physical safeguards that are appropriate to:
(a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program;
(b) the amount of resources available to such person;
(c) the amount of stored data; and
(d) the need for security and confidentiality of both consumer and employee information."
Adequate compliance with this new regulation is likely to require time and effort. The deadline for compliance is March 1, 2010.
Compliance Deadline for Identity Theft "Red Flags" Rule Is June 1, 2010
The Red Flags Rule requires financial institutions and creditors with "covered accounts," as defined by the FTC, to formulate and implement an identity-theft prevention program. The determination of whether a business or an organization is covered by the Red Flags Rule is not based on industry or sector, but rather on whether its activities fall within the relevant definitions. The FTC has cautioned that the rules apply to a wide range of industries and entities, many of which may be unaware that they would be considered a "financial institution" or "creditor" for the purposes of the rules.
The term "creditor" is defined broadly, such that any business that regularly extends, renews or continues credit; participates in the decision to extend credit or defers payment for goods or services and bills customers later would be considered a creditor under the rules.
If businesses meet the criteria for a creditor or financial institution under definitions provided by the Red Flags Rule, they may want to determine if they have any covered accounts. The Rule defines that term as either: (1) consumer accounts designed to permit multiple payments or transactions, or (2) any other account that presents a reasonably foreseeable risk from identity theft. Even business-to-business accounts may pose a threat of identity theft, so businesses may want to develop and implement an identity-theft prevention program.
If businesses have covered accounts, they must develop and implement a written program to detect and respond to the red flags of identity theft—taking into consideration the nature of the business and the risks faced—and update the program periodically. The deadline for compliance is June 1, 2010.
For more information, please see our previous Alerts on the topic by clicking on the links below:
For Further Information
If you have any questions regarding these regulations, including how they may affect your company, please contact Sandra A. Jeskie, a member of the Information Technologies and Telecom Practice Group or the lawyer in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.