On March 1, 2010, companies that collect and retain personal information in connection with providing goods and services or for the purposes of employment must have a Comprehensive Written Information Security Program (WISP) designed to protect the personal information collected. For purposes of this program, personal information is defined as a Massachusetts resident’s name in combination with one or more of the following: the resident’s social security number, driver’s license number, financial account number, or credit or debit card number. An insurance policy number also qualifies as a financial account number if it allows anyone access to a person’s finances or could result in a misappropriation of monies, credit, or other assets.

Most, if not all, employers will be required to draft and implement a WISP. The written plan must include certain standards and procedures, including administrative, technical, and physical safeguards for protecting and storing any records in paper or electronic form containing personal information about Massachusetts residents. In addition, the program must mandate training for employees about these security measures and procedures for prohibiting terminated employees from accessing such information. The program is not one size fits all. Instead, the type of program required by a company is dictated by its size, the scope and type of its business, available resources, amount of stored data, and the need for security and confidentiality of both consumer and employee information.

It is important that companies devise and implement their programs by March 1, 2010. The Massachusetts Attorney General’s Office is authorized to enforce noncompliance. Employees or consumers may also file private actions for damages, and may be awarded in some cases multiple damages and attorney’s fees, for breaches of security that result in the unauthorized disclosure of personal information.

 

CONTACT

Please contact a member of our Employment Law Practice to discuss the impact of these new laws on your company’s policies and practices.

Return to Resources