The Massachusetts Office for Consumer Affairs and Business Regulation (OCABR) recently issued regulations, effective May 1, 2009, requiring that every business develop comprehensive written procedures and policies to ensure that personal information of Massachusetts residents is protected. Every employer possessing personal information about their employees will need to comply with the requirements.

Business leaders are negotiating actively to modify several of the most costly and onerous provisions of these regulations before they become effective. Readers may want to speak to their legislators to voice their concerns. We will continue to follow developments and provide timely updates.

Employers should nonetheless take these steps by May 1:

  • Have in place a comprehensive written information security program (WISP), described more fully herein. The WISP should be developed after management, IT personnel, HR personnel, and counsel evaluate the employer’s current use of personal information, and it should be tailored to the employer’s business needs.
  • Ensure that the WISP protects personal information in both paper and electronic forms. All computers, including wireless systems, must provide for restricted access and secure user authentication protocols must be implemented. Records containing personal information must be encrypted on any portable device and when transmitted.
  • Have in place protocols to evaluate the WISP, to discipline employees who violate the WISP, and to ensure that terminated employees are prevented from accessing employee personal information.
  • Take reasonable steps to ensure that third-party vendors protect personal information.



OCABR’s regulations impose complex requirements on an employer or any other entity that owns, licenses, stores, or maintain personal information of any Massachusetts resident. “Personal information” is defined as the name of a Massachusetts resident in combination with his or her Social Security number; driver’s license or state ID number; financial account number; credit card number or debit card number. Accordingly, the regulations will apply to virtually every employer that obtains employees’ social security numbers or information pertaining to an employee’s bank account, even direct deposit information.



The WISP must protect personal information in both paper and in electronic forms. The WISP must:

  • Designate one or more employees to maintain and oversee the WISP.
  • Identify paper, electronic and other records, computing systems, and storage media including laptops and portable devices used to store personal information to determine which records contain personal information.
  • Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other record containing personal information and improve the effectiveness of the current safeguards for limiting such risks.
  • Develop security policies for employees that take into account whether and how employees should be allowed to keep, access, and transport records containing personal information outside the business premises.
  • Limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected; limit the time the information is retained; and limit access to those persons who are reasonably required to know it.
  • Impose reasonable restrictions on physical access to records containing personal information, including a written procedure that sets forth the manner in which physical access to such records is restricted.
  • Include regular monitoring to ensure the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information.
  • Review the scope of the security measures annually and upgrade the WISP as necessary.

Obviously, developing a WISP will require understanding what personal information is in the possession of the employer, where it is located, and who has access to the information. Moreover, going forward, employers should obtain only that personal information necessary for their business.



Every entity that owns, licenses, stores or maintains personal information electronically or transmits this information electronically must include in its WISP a security system covering its computers, including wireless systems. Required elements include:

  • Secure user authentication including a secure method of assigning and selecting passwords, restricted access to active users and active user accounts, and blocked access to user identification after multiple unsuccessful attempts to gain access have been discovered.
  • Restricted access to records and files containing personal information to those who need such information to perform their job duties.
  • Encryption (to the extent technically feasible) of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly.
  • Reasonable monitoring of systems for unauthorized use of or access to personal information.
  • Encryption of all personal information stored on laptops or other portable devices.
  • Installation of a reasonably up-to-date firewall and operating system security patches.
  • Installation of up-to-date versions of system security software, which must include malware protection that receives security updates on a regular basis.

OCABR estimates that a small business of 10 employees could incur up-front compliance costs (including services of an IT consultant) in the range of $3,000 and approximately $500 per month in maintenance fees.



Documented post-incident review of any incidents including a breach of security is mandatory. Employers must also document responsive actions taken in connection with any such incident. Further, employers must impose disciplinary measures for violations of the WISP.



OCABR also requires that employers prevent terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names. This new requirement lends further support to the practice of most employers of denying computer access immediately to employees who have been terminated.



One of the most problematic components of the new requirements is that businesses must take reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect personal information. Service providers must by contract be required to maintain safeguards as well. Further complicating matters, independent contractors who store, maintain, or have access to personal information must provide written certification to the employer of their compliance with the regulations.



Compliance with the regulations will be evaluated by OCABR taking in account (i) the size, scope, and type of business of the entity obligated to safeguard the personal information under the WISP, (ii) the amount of resources available to such entity, (iii) the amount of stored data, and (iv) the need for security and confidentiality of both consumer and employee information.



Please contact a member of our Employment Law Practice to discuss the impact of these new laws on your company’s policies and practices.

Return to Resources