The Commonwealth of Massachusetts recently promulgated a new regulation, 201 CMR 17.00, titled Standards for The Protection of Personal Information of Residents of the Commonwealth. The purpose of the regulation is to implement “the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.” Personal information is defined as:
[A] Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Since all employers should normally store “personal information” about each employee, apparently all employers who employ a resident of the Commonwealth of Massachusetts will be required to comply with the regulations. Governor Deval Patrick has also issued a related Executive Order 504 requiring certification of compliance with the order by all state contractors. There are significant procedures that must be implemented and substantial fines for non-compliance. Vision Payroll will be communicating its compliance with the new regulations to all affected clients before 2009. We strongly suggest that you contact your attorney as soon as possible to discuss implementation of the new provisions.