Data Security and Personally Identifiable Information (PII)

If your business collects and/or stores personally identifiable information (PII), MA data privacy laws apply to you. Massachusetts data security law is among the most comprehensive in the country. When discussing Massachusetts data privacy we are referring to M.G.L c 93H (breach notification and definitions); M.G.L. 93I (destruction of PII) and 201 CMR 17.00 (implementing regulations for the protection of PII).  Failure to comply with the law can be expensive. And yet, as with many other procedural laws (read regulations), we tend to think about the money we will spend to comply with the rules rather than the cost should something happen.

While the law is comprehensive, for small businesses running a couple of computers, compliance does not mean breaking the bank.  For example, when developing your WISP (discussed below) it could be that you implement a plan as simple as turning on Windows Update for operating system patches, making sure that your antivirus software is current and running and checking on a regular basis to make sure that any updates are applied. Also, making sure that files and email(s) containing PII stored on/sent from your computer(s) are encrypted. And, if you store documents on paper, making certain they are kept in a locked cabinet.

So what exactly is personally identifiable information?  If your company collects:

a Massachusetts resident’s first name or initial and last name and any one of the following:

  • Social Security number;
  • driver’s license number;
  • state – issued identification card (including state school student id) number; or
  • financial account number or credit card number – with or without any required security code, access code, personal identification number (PIN), or password that would permit access to the account. (NOTE: a financial account is broadly defined)

you are the owner and/or the custodian of personally identifiable information.

In addition to the obvious custodians of PII, for instance, businesses that process credit cards or checks, based on the above definition of PII, every employer of a Massachusetts resident has personal information of its employees.

The cornerstone for compliance with the law is your “Written Information Security Plan” or WISP.  Every business that handles PII must have a WISP. The regulations list over a dozen specific requirements that the WISP must include. Your written information security plan will lay out the who, what, when, where and how of your company procedure for protecting PII.

The regulations do not adopt a one size fits all approach.  Compliance will be determined by the size, scope, and type of business, the amount of resources available to the business, the amount of data stored, and the need for security and confidentiality of both consumer and employee information. 201 C.M.R. § 17.03

While the WISP is necessary to ensure compliance, it is not sufficient.   There are regulations explaining how to destroy PII, a requirement that any third party you work with has procedures in place to protect PII and a procedure for reporting in the event of a breach.

From the Commonwealth’s Office of Consumer Affairs and Business Regulation (OCABR) website:

Sample WISP:

Compliance checklist:

 Frequently Asked Questions:

 For more information or to talk about other business related concerns, please email me at:


Employee or Subcontractor?

Business is going well. You need help and are looking to hire someone.  You have heard that it is cheaper and easier to employ someone as a subcontractor instead of as an employee. With subcontractors there’s no employer’s share of withholding taxes to pay, no unemployment premiums, no workers compensation, nothing just pay a gross amount and at the end of the year give them a MISC 1099.  This arrangement seems perfect and will work unless you get caught.  Is it worth the risk?

How is the Government going to find out you might be wondering.…  While the odds of getting caught may not be great they are real and they are expensive.  Some examples of how you may get caught:

  • Someone you hired as a subcontractor gets hurt at work but does not have their own Workers Compensation Insurance.
  • Someone you hired as a subcontractor gets audited by the DOR.
  • Someone you hired as a subcontractor gets angry about something and calls any number of hotlines to report or worse goes to see a lawyer.

Massachusetts law presumes, with very few exceptions, for instance real estate agents, that workers are employees.  Under our independent contractor statute (M.G.L.A. c. 149 § 148B) a worker is considered to be an employee unless you the employer can prove:

  • that the worker is free from the company’s control and direction in connection with the performance of the service, both under his contract for the performance of service and in fact; and
  • that the service that the worker performs is outside the usual course of business of the employer; and
  • that the individual is customarily engaged in an independently established trade, occupation, profession or business of the same nature as that involved in the service performed.

You must prove all three elements or the person you classified as a subcontractor will be held to be an employee.  This will be costly.  If the Commonwealth determines that you have misclassified someone, the damages awarded will be equal to the value of wages and benefits that the worker would have received if an employee. This amount will be tripled and includes costs and attorney fees. What you paid to the individual as a subcontractor does not matter nor does it count in the damage award.

The amended law is relatively new, but surprise, the Courts have interpreted the statute very much in favor of classifying a worker an employee.

For more information or to talk about other business related concerns please email