To our clients and friends:

JANUARY 22, 2008

Boston

Washington

New York

Stamford

Los Angeles

Palo Alto

San Diego

London

www.mintz.com

One Financial Center
Boston, Massachusetts 02111
617 542 6000
617 542 2241 fax

701 Pennsylvania Avenue, N.W.
Washington, D.C. 20004
202 434 7300
202 434 7400 fax

666 Third Avenue
New York, New York 10017
212 935 3000
212 983 3115 fax

707 Summer Street
Stamford, Connecticut 06901
203 658 1700
203 658 1701 fax

2029 Century Park East
Los Angeles, California 90067
310 586 3200
310 586 3202 fax

1400 Page Mill Road
Palo Alto, California 94304
650 251 7700
650 251 7739 fax

5355 Mira Sorrento Place
San Diego, California 92121
858 320 3000
858 320 3001 fax

The Rectory
9 Ironmonger Lane
London EC2V 8EY England
+44 (0) 20 7726 4000
+44 (0) 20 7726 0055 fax

Massachusetts and Oregon Have Become the Two Latest States to Join the Flood of Data Breach Notification Legislation

In 2007, Massachusetts enacted a security breach notification statute that directed the Massachusetts Department of Consumer Affairs & Business Regulation (DCABR) to promulgate data security regulations. The DCABR is authorized to promulgate regulations “designed to safeguard the personal information of residents of the commonwealth … consistent with the safeguards for protection of personal information set forth in the federal regulations by which the person is regulated.”

While in some respects, the proposed regulations include elements of the federal “Safeguards Rule,” with which you are likely already aware, the proposed regulations deviate in many respects from this standard and lack some of its essential elements. In addition, the proposed regulations’ treatment of encryption appears confusing, and the majority of data breach laws recognize that, in addition to encryption, “securing the information by another method that renders the data elements unreadable or unusable” is sufficient. There are also some other significant differences between the proposed Massachusetts regulations and the majority of data breach laws, creating compliance headaches and uncertainty for businesses located in Massachusetts but that also own, store or process data belonging to residents of other states.

If you have any questions, or would like to discuss implementation of a compliance plan, including a data breach response plan, please let us know. Given that the Massachusetts statute contains monetary penalties for noncompliance, it’s an important part of the new year’s planning.

See also: Privacy and Security Alert: Massachusetts and Oregon Join Numerous Other States by Adopting Data Breach Notification Legislation (Aug. 22, 2007).

* * * * *

For assistance in this area, please contact:

Cynthia Larose, CIPP
617.348.1732 | CJLarose@mintz.com

Stefani Watterson, CIPP
202.661.8706 | SVWatterson@mintz.com

or any Mintz Levin attorney with whom you regularly work.

 

Copyright © 2008 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

The above has been sent as a service by the law firm of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. and may be considered an advertisement or solicitation. The content enclosed is not intended to provide legal advice or to create an attorney-client relationship. The distribution list is maintained at Mintz Levin’s main office, located at One Financial Center, Boston, Massachusetts 02111. If you no longer wish to receive electronic mailings from the firm, please notify our marketing department by going to www.mintz.com/unsubscribe.cfm.