Governor Signs ID Theft Bill

“Yozell's background and expertise in rate negotiations is what sets them apart from other firms. We are getting a quality benefit at the best possible rate. Yozell is a trusted advisor and invaluable resource.”

Keri L. Kocur
Human Resource Manager
Vanasse Hangen Brustlin, Inc

Massachusetts Governor Signs ID Theft Bill

08/31/2007

By Diane Cadrain, SHRM

Massachusetts Gov. Deval Patrick on Aug. 3, 2007, signed a comprehensive identity theft bill that requires businesses and governments to notify consumers—and employees—when their data is lost or stolen.

Chapter 82 of the Acts of 2007 applies not only to businesses in relation to their customers, but also to companies in their role as employers and as repositories of employees’ personal information. The new law requires any “person” (defined as a natural person, corporation, association, partnership or other legal entity) that maintains or stores data that includes personal information about a resident of the commonwealth to notify those whose data it maintains, in these two situations:

• Whenever the business knows or has reason to know of a breach of security.

• Whenever the business knows or has reason to know that an unauthorized person acquired or used the data for an unauthorized purpose.

The law defines the term “personal information” as a resident’s first name and last name, or first initial and last name, combined with any one or more of the following:

• Social Security number.

• Driver’s license number or state-issued identification card number.

• Financial account number, or credit or debit card number.

The required notice can be written or electronic, and companies must provide it “as soon as practicable and without unreasonable delay.” If the cost of providing the notice would be over $250,000, or the notice would have to go out to over 500,000 residents, the business may provide substitute notice, which must include all of the following:

• Electronic mail notice, if the business has electronic mail addresses for the members of the affected class of Massachusetts residents.

• Clear and conspicuous posting of the notice on the company’s home page, if the business maintains a website.

• Publication in, or broadcast through, media that provide notice throughout the state.

In addition to these notification requirements, the new law also mandates standards for companies to follow when disposing of records containing personal information. Paper documents containing personal information must be redacted, burned, pulverized or shredded so that personal data cannot practicably be read or reconstructed. Similarly, electronic media and other non-paper media containing personal information must be destroyed or erased so that personal information cannot practicably be read or reconstructed. Businesses may contract with third parties for either type of disposal.

The penalty for violation of these new requirements is a civil fine of up to $100 per data subject affected, subject to a cap of $50,000. Lawmakers gave the state attorney general the power to file a civil action in the superior or district court to recover these penalties.

According to the Federal Trade Commission, identity theft affects 10 million Americans annually and costs individuals and businesses $52 billion a year. In the Bay State, one recent high-profile case involved Framingham retailer TJX, which earlier this year disclosed to customers that thieves had gained access to more than 45 million credit- and debit-card numbers from its computers.

Diane Cadrain is an attorney who has been writing about employment law issues for more than 20 years. She is a member of the Human Resource Association of Central Connecticut.