By Rebecca L. Rausch
Two new laws in Massachusetts require any person or
organization with access to records containing personal
information about Massachusetts residents to protect those
Chapter 93H mandates that security precautions be taken and
notice be provided in the event of any unauthorized access to,
or use of, personal information. Chapter 93H went into effect
on Oct. 31, 2007. The other new law, Chapter 93I (effective
Feb. 3), imposes certain destruction requirements for any
records, paper or electronic, containing such information.
Although these new laws were a legislative response to
recent credit security breaches, such as last yearís TJX
incident, the laws are broadly written and apply to a wide
range of organizations, including any employer with records
bearing an employeeís name and social security number.
All organizations subject to Chapters 93H and 93I must
comply with these new data management requirements or face
monetary penalties and potential suit brought by the
Massachusetts Attorney General.
If your organization does not yet have policies in place
addressing data protection, security breaches, and
destruction, they need to be prepared and implemented
Also, contracts with third parties handling personal
information, including data vendors and payroll companies,
should be modified to include safeguard and notice
requirements. Organizations subject to another state or
federal law governing data use and/or privacy, such as the
Health Insurance Portability and Accountability Act (HIPAA),
should be sure to consider the ways in which Chapters 93H and
93I may align with, or differ from, other applicable laws when
determining best practices for achieving compliance.
On Dec. 17, 2007, the Massachusetts Office of Consumer
Affairs and Business Regulation issued proposed regulations,
201 CMR 17.00, implementing the security requirements in
Chapter 93H. The comment period on these regulations ended
Jan. 11. At the time of this writing, it is unclear whether
the regulations will be modified prior to promulgation in
Notably, organizations subject to, and in compliance with,
any other law governing data security, such as HIPAA, are
deemed to comply with Chapter 93H, so long as the security
breach notifications discussed below are provided.
Specific sections of the new laws are highlighted below.
Identifying ëpersonal informationí
The laws define ìpersonal informationî as a Massachusetts
residentís first name or initial and last name, plus at
least one of three additional identifying data: (a) Social
Security number; or (b) driverís license number or
state-issued identification card number; or (c) financial
account number, or credit or debit card number.
Personal information can be in paper or electronic form.
A document containing a Massachusetts residentís full name
and address would not constitute personal information, nor
would a document containing the residentís initials and Social
Security number, but those two documents maintained together
in a single file or electronic record would qualify as
Initial security measures
The proposed regulations prescribe specific security
measures for protecting personal information. Every
organization that ìowns, licenses, stores or maintains
personal information about a resident of the Commonwealth
shall develop, implement, maintain and monitor a
comprehensive, written information security program applicable
to any records containing such personal information.î
The safeguards maintained in the comprehensive information
security program (CISP) must be ìreasonably consistentî with
industry standards and any otherwise applicable state or
federal law, such as HIPAA.
All CISPs must contain at least 11 distinct components,
including: a designated employee to maintain the CISP;
contractual representations from third party service providers
that they have adequate protection for personal information;
disciplinary measures for violations of the CISP rules; and a
process for documenting responsive actions taken in connection
with any security breach.
Any organization that electronically stores or transmits
personal information must include another nine components in
its CISP, including: user authentication protocols; access
control measures; encryptions; employee education and
training; and a written procedure for restricting physical
access to computerized personal information records.
In the event of any unauthorized access to or use of
personal information, Chapter 93H mandates prompt reporting of
the incident. Any organization owning or licensing data
containing personal information that ìknows or has reason to
know that the personal information . . . was acquired or used
by an unauthorized person or used for an unauthorized purposeî
must issue notice of the breach to: (1) the Massachusetts
Attorney General; (2) the Director of Consumer Affairs; and
(3) the affected Massachusetts resident.
Organizations that maintain or store such personal data,
rather than directly owning or licensing it, must only provide
notice to the data owner/licensee. The owner/licensee must
then make the three above required notifications.
Destroying personal information
Chapter 93I will require all organizations that dispose of
records containing personal information to destroy such
records, whether paper or electronic, ìso that personal
information cannot practicably be read or reconstructed.î
Paper records containing personal information should be
shredded or burned.
Electronic records containing personal information must be
fully erased, a process that generally requires rewriting over
the space on the storage media where the records formerly
existed. Organizations may contract with third parties such as
data management companies to appropriately destroy records, as
long as the third party implements and monitors compliance
with the security provisions in Chapter 93H. Contracts with
these third parties should now include explicit data safeguard
requirements. Organizations should train employees about the
new destruction requirements. Simply tossing paper into the
recycle bin or pressing the ìdeleteî key will no longer
Penalties for failing to comply
Any organization that violates Chapter 93I faces a civil
fine of up to $100 per affected person, with a total possible
fine of $50,000 for each instance of improper disposal.
Failure to comply with Chapter 93H or 93I may subject the
offender to a suit by the Attorney General under Chapter 93A,
the consumer protection law. Violations may mean triple
damages, as well as attorneysí fees and legal costs.
Rebecca Rausch practices in the health care group of the
Boston law firm of Krokidas and Bluestein, representing
hospitals, community health centers, group care facilities,
special education schools, nursing homes, and other health
care providers. She focuses on litigation, corporate
governance, and regulatory compliance, including HIPAA and
other privacy concerns. Rebecca can be contacted at
617.482.7211 or email@example.com.