Royal & Klimczuk, LLC Royal & Klimczuk, LLC: We know business matters
Home | Areas of Practice | Attorneys | News | Legal Updates | Our Clients | Seminars | Blog | Contact Us

Important E-Alert on Employers' Compliance with the Identity Theft Regulations

Late last year, employers were given a brief reprieve when the Office of Consumer Affairs and Business Regulation ("OCABR") postponed the deadline for businesses to comply with the regulations pertaining to the identity theft law.  OCABR had initially required employers to comply with these regulations by January 1, 2009; however, because the regulations themselves impose such onerous obligations on employers, OCABR extended the regulations' effective date to May 1, 2009. 

The identity theft law requires employers to safeguard the "personal information" of their employees and customers.  "Personal information" is defined as the last name and first name or initial of the individual in combination with data such as the individual's social security number, driver's license number or financial account number.  The law applies to personal information whether it is stored in electronic or paper form.  

Under these new regulations, any employer, regardless of its size or number of employees, that stores "personal information" must implement a written comprehensive information security program designed to protect personal information from unauthorized use and disclosure. The program must include very detailed internal procedures for storing and destroying personal information; written policies to distribute to employees on how to handle documents containing personal information and training for employees on the program.  The regulations also require that businesses encrypt all personal information stored on laptops by May 1, 2009 and ensure all other portable devices, such as PDAs, are encrypted by January 1, 2010.  Additionally, if an employer uses a third party provider to maintain and/or destroy personal information, the employer must ensure that the third party provider complies with the law and, by January 1, 2010, must obtain written certification from the third party provider of compliance with the law.

The law is enforced by the Massachusetts Attorney General's Office and imposes penalties of $15,000 for each willful violation.  Because the law is so onerous, we recommend that you begin planning for compliance immediately as May 1 will be here before you know it.  For more information about this new law or for assistance in drafting these written procedures, conducting employee training or otherwise bringing your business into compliance with this law, please contact Amy B. Royal, Esq. at (413) 586-2288 or at aroyal@rkesq.com .

 

 

 

Royal & Klimczuk, LLC
52 Center Street, Northampton, MA 01060 | Phone (413) 586-2288 | Fax (413) 586-2281
1350 Main Street, 4th Floor, Springfield, MA 01103 | Phone (413) 734-9259

Disclaimer: The information you obtain at this site is for informational purposes only. It is not, nor is it intended to be, legal advice and does not create or imply an attorney-client relationship. You should consult with an attorney for individual advice regarding your own particular situation. This website, including each page hereof, may be considered advertising pursuant to the Massachusetts Rules of Professional Conduct. Copyright © 2009 Royal & Klimczuk, LLC. All rights reserved. You may reproduce materials available at this site for your own personal use and for non-commercial distribution. All copies must include the above copyright notice.