In the wake of the recent TJX and Hannaford data breaches, Massachusetts passed new laws and regulations requiring that “all persons that own, license, store or maintain personal information about a resident of the Commonwealth” comply with strict requirements for safeguarding and disposing of such personal information, and for reporting data security breaches (Massachusetts General Laws chapters 93H and 93I, 201 CMR 17.00).  These new laws place enormous burdens on virtually all Massachusetts businesses.

Significantly, the new laws require that by March 1, 2010, businesses:  implement a written comprehensive information security program designed to safeguard data, appoint a data security coordinator, encrypt laptops, and verify that vendors are protecting personal information.  The requirements of the new law do not end there; there are many other specific tasks that businesses must complete by March 2010.  Commentators have remarked that the new laws are complex and virtually impossible to comply with, and a recent Boston Business Journal editorial said that the costs of compliance “promise to be steep and abrupt.”  The penalties for non-compliance can be severe.

HRW established its Data Security Team to assist businesses in addressing the complex requirements of the new laws. The Data Security Team has developed a data security program, known as “ADIMR,” for assisting businesses to comply with the new data security laws, in a manner that is thorough and meticulous, yet efficient and cost-effective.  ADIMR consists of five phases:  Assessment of existing systems and records, Drafting programs and policies specific to each company, Implementation of the programs and policies, Maintenance of the programs and polices, and Response protocol for breaches.  ADIMR is targeted not only to assist in compliance with the law, but also specifically designed to reduce exposure in the event of a data breach.

Members of the Data Security Team have experience in dealing with high-stakes issues of data security and loss of personal information.  They also have decades of experience in helping businesses design and implement policies and programs in their businesses and in the types of cross-discipline problem-solving required by the new laws and regulations.  The Data Security Team has taken a leadership role in the legal community on the issue of data security, speaking on pertinent issues and training other lawyers on the new laws.  The Data Security Team also monitors and participates in relevant legislative activities.  In January 2009, a Data Security Team member testified at a public hearing on proposed amendments to the regulations, which led to a decision by Massachusetts consumer regulators to postpone the implementation of the regulations from May 1, 2009 to January 1, 2010, and to make certain other amendments that will ease the burdens on businesses in their efforts to comply.  In August 2009, the implementation of the regulations was further postponed to March 1, 2010.