Thursday, November 8, 2007

Massachusetts Bill Has Universal Applicability

Massachusetts is the latest state to provide its citizens enhanced protection from identity theft. The law, entitled "An Act Relative to Security Freezes and Notification of Data Breaches" (the "Act"), was signed into law on August 2, 2007. the Act It consists of three main weapons: mandatory notification requirements in the event of a data security breach; data disposal requirements; and a "security freeze" procedure. The disposal requirements are effective on February 3, 2008 and the other two were effective October 31, 2007. There is nothing remarkable or new in the Act's requirements, but its expansive coverage sets it apart from the other states' laws. It applies to anyone who holds information relating to Massachusetts residents, and is not limited simply to those who conduct business with Massachusetts residents. This means natural persons, corporations and government agencies all are subject to its requirements, and is not limited to those who do so for business purposes. This could expand the coverage to include not for profit organizations such as PTAs and scout troops which collect personal information of their members, as well as less formal arrangements such as where a child handles financial matters for an aging parent. While the Act is likely to have minimal impact on financial institutions, since federal regulations already impose similar requirements, one wonders what the legislature's intent was in potentially subjecting individuals in a personal or non-commerce relationship to fines and Attorney General enforcement actions. Fortunately, there is no provision for a private right of action, so the Massachusetts court system should not see an increase in inter-family litigation resulting from the Act.

1 comment:

George said...

In your analysis of Massachusetts' new ID-theft law, does it extend to companies that employ offshore outsourcing contractors? Does it extend to their offices based in other countries?

I ask since the subject of data security and data breaches by offshore outsourcing firms seems to get little attention or press. I was wondering what your thoughts are on the subject. For background, see The Data Security Risks with Offshore Outsourcing.