Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Tag Archives: Massachusetts Data Security Regulations

Massachusetts Attorney General Data Breach Investigation Results in $15,000 Settlement with Property Management Firm

Posted in 201 CMR 17.00, Data Breach, Data Breach Notification, Data Compliance & Security, Privacy Regulation

Written by Cynthia J. Larose and Adam Veness   Last October, a Maloney Properties, Inc. (“MPI”) company laptop was stolen containing unencrypted personal information, including social security numbers, for over 600 Massachusetts residents.  Shortly after the incident, MPI sent letters to customers alerting them of the incident and related data breach.  As a result of that… Continue Reading

Into the Breach – Security Failures Can Cost You

Posted in 201 CMR 17.00, Data Breach, Data Compliance & Security

Once again, we have evidence that failures to implement the most basic of data security measures can cost real money.   The Massachusetts Attorney General’s office announced a consent order that fines a Boston restaurant group $110,000 and imposes a set of compliance measures that will also carry a price tag.   Despite many headlines trumpeting the “first enforcement action,” this action… Continue Reading

Data Breach at NYC “Hop-on, Hop-off” Tour Company — 110,000 credit card numbers stolen

Posted in 201 CMR 17.00, Data Breach, Data Breach Notification, Data Compliance & Security

Since March 1, 2010, privacy professionals have been waiting for a data breach that could bring an enforcement action under 201 CMR 17.00, the Massachusetts privacy regulations.   I just spoke with Paul Roberts, editor of, a blog that posted an entry yesterday regarding a breach that could do just that.   Twin America LLC, the parent company of… Continue Reading

July 13 Data Security Workshop – FREE

Posted in Data Breach

On July 13, Mintz Levin will be joined by Sophos, Six Weight Consulting, and MFA Cornerstone Consulting to hold a free compliance workshop focused on both the gaps and overlap of Massachusetts’ data protection regulation 201 CMR 17.oo and the recent updates to federal health and medical data privacy found in the HITECH Act. We’ll… Continue Reading

Massachusetts Data Security Compliance Workshop

Posted in Data Compliance & Security

In case your data security compliance plan is stuck in neutral, you have questions, or you haven’t started yet…there will be a free (!) breakfast hands-on workshop on Thursday in Tewksbury, MA. “Massachusetts Data Protection Law: Demystifying the Details” is being sponsored by the Merrimack Valley Venture Forum. The Merrimack Valley Venture Forum has assembled… Continue Reading

Today is the day……

Posted in Data Compliance & Security

After implementation delays and rule changes, new data protection regulations that are widely considered the most stringent in the nation take effect today. The Massachusetts data security regulations require institutions that hold personal data on Massachusetts citizens to encrypt that information and implement written data protection policies, reports the Boston Globe. Discussion continues and questions… Continue Reading

Top 3 questions relating to compliance with 201 CMR 17.00

Posted in Data Compliance & Security

At the beginning of the “countdown” to the March 1st effective date of 201 CMR 17.00, we offered some posts with “misapprehensions” and compliance suggestions (see 16 Days to March 1….. and Countdown to compliance with 201 CMR 17.00…..11 days). Here are some questions that have been reoccurring over the last few weeks: 1) What… Continue Reading

T Minus 10,080 Minutes and Counting…..

Posted in Employee Privacy

We have just one week to go before all entities that own, store, license — or basically do anything with — personal information of Massachusetts residents must comply with the Commonwealth’s new data security regulations. Things to consider: Have you done your risk assessment? Looked at what you collect and how you collect and how… Continue Reading

Countdown to compliance with 201 CMR 17.00…..11 days

Posted in Data Compliance & Security

As we approach the 10 day mark to the March 1 effective date of the Massachusetts data security regulations, 201 CMR 17.00, we thought that we would share another misapprehension in the ever-growing list. “I ordered one of those $99 “Compliance Kits” from the Internet, and they say that they will “certify” that I am… Continue Reading

16 Days to March 1…..

Posted in Data Compliance & Security

Just in case you missed it, March 1 is the deadline for compliance with 201 CMR 17.00, the new Massachusetts data security regulations, and we published a client alert last week as a “reminder”… Privacy and Security Alert. In addition to the top five “misapprehensions” about the applicability of the new regulations that we included… Continue Reading

27 days and counting…

Posted in Data Compliance & Security

March 1st is the deadline for compliance with the Massachusetts data security regulations, 201 CMR 17.00. We have blogged incessantly for months about the need to get compliance programs into gear and develop information security plans as required by the regulations. The time is here. If you are one of the procrastinators (and, you are… Continue Reading

Data Privacy Day – Tip #4 – Transactional Best Practices for Lawyers

Posted in Employee Privacy

Written by Michael Arnold and Jennifer Rubin Even though lawyers working on both sides of an M&A transaction during the due diligence phase might immerse themselves in a “confidentiality bubble”, they still must be careful not to disclose or access confidential employee information in the course of that transaction. Attorneys evaluating potential transactions might be… Continue Reading

Happy Data Privacy Day! Tip #1

Posted in Data Compliance & Security

Today is worldwide Data Privacy Day. What is your company doing to promote data privacy and security in your enterprise? I’ll be participating in a KnowledgeNet in Boston, sponsored by the International Association of Privacy Professionals. The discussion topic is Privacy Awareness and Training. And don’t forget, the March 1 deadline for compliance with the… Continue Reading

Massachusetts Attorney General proposes privacy regulations to apply to her office

Posted in Data Compliance & Security, Legislation

Written by Cynthia and Elissa An oft-cited criticism of the Massachusetts data security regulations (201 CMR 17.00), effective March 1, 2010, is that the regulations specifically do not apply to government entities — the only reason being that the Office of Consumer Affairs and Business Regulation does not have the authority or jurisdiction to enact… Continue Reading

From Privacy Academy – The Seven Step Program

Posted in Data Compliance & Security

Sounds like common sense, but it is food for thought — and will be required under new Massachusetts data security regulations: The seven easy ways to protect PC based information from theft The proliferation of Personal Storage Devices (thumb drives, iPods, USB external hard disks, etc.) and simple remote access has created unprecedented levels of… Continue Reading

Changes to the Massachusetts Data Security Regulations: What do they really mean?

Posted in Legislation

Now that the dust has settled after this week’s “Breaking News” regarding the proposed changes to the Massachusetts data security regulations, here is an analysis of what the changes actually mean to the business community. Some other interesting commentary is linked below: Evan Schuman – Storefront Backtalk

BREAKING NEWS – Changes to 201 CMR 17.00

Posted in Legislation

Just released – proposed amendments to the Massachusetts data security regulations — and a three-month extension of time to comply. Stay tuned for a full analysis.

To Encrypt or Not To Encrypt…….An Incentive Rather than a Mandate From Michigan

Posted in Data Breach

Add Michigan to the list of states that are proposing that adoption of comprehensive data security safeguards will provide a safe harbor for data breaches. The Information Security Program Standards Act introduced last week differs a bit from Massachusetts and Nevada (and other pending legislation) in that it would not require the implementation of detailed… Continue Reading

Massachusetts Data Security Standards vs. New HIPAA Guidelines

Posted in Data Compliance & Security

Here’s a link to an article (by the author of this blog…) comparing the Massachusetts data security standards (effective January 1, 2010) to the Department of Health & Human Services Guidelines promulgated under the new HITECH Act (effective in mid-September).   Compliance challenges are coming on all fronts — and it’s best not to duplicate… Continue Reading