Data Security and Personally Identifiable Information (PII)

If your business collects and/or stores personally identifiable information (PII), MA data privacy laws apply to you. Massachusetts data security law is among the most comprehensive in the country. When discussing Massachusetts data privacy we are referring to M.G.L c 93H (breach notification and definitions); M.G.L. 93I (destruction of PII) and 201 CMR 17.00 (implementing regulations for the protection of PII).  Failure to comply with the law can be expensive. And yet, as with many other procedural laws (read regulations), we tend to think about the money we will spend to comply with the rules rather than the cost should something happen.

While the law is comprehensive, for small businesses running a couple of computers, compliance does not mean breaking the bank.  For example, when developing your WISP (discussed below) it could be that you implement a plan as simple as turning on Windows Update for operating system patches, making sure that your antivirus software is current and running and checking on a regular basis to make sure that any updates are applied. Also, making sure that files and email(s) containing PII stored on/sent from your computer(s) are encrypted. And, if you store documents on paper, making certain they are kept in a locked cabinet.

So what exactly is personally identifiable information?  If your company collects:

a Massachusetts resident’s first name or initial and last name and any one of the following:

  • Social Security number;
  • driver’s license number;
  • state – issued identification card (including state school student id) number; or
  • financial account number or credit card number – with or without any required security code, access code, personal identification number (PIN), or password that would permit access to the account. (NOTE: a financial account is broadly defined)

you are the owner and/or the custodian of personally identifiable information.

In addition to the obvious custodians of PII, for instance, businesses that process credit cards or checks, based on the above definition of PII, every employer of a Massachusetts resident has personal information of its employees.

The cornerstone for compliance with the law is your “Written Information Security Plan” or WISP.  Every business that handles PII must have a WISP. The regulations list over a dozen specific requirements that the WISP must include. Your written information security plan will lay out the who, what, when, where and how of your company procedure for protecting PII.

The regulations do not adopt a one size fits all approach.  Compliance will be determined by the size, scope, and type of business, the amount of resources available to the business, the amount of data stored, and the need for security and confidentiality of both consumer and employee information. 201 C.M.R. § 17.03

While the WISP is necessary to ensure compliance, it is not sufficient.   There are regulations explaining how to destroy PII, a requirement that any third party you work with has procedures in place to protect PII and a procedure for reporting in the event of a breach.

From the Commonwealth’s Office of Consumer Affairs and Business Regulation (OCABR) website:

Sample WISP:

Compliance checklist:

 Frequently Asked Questions:

 For more information or to talk about other business related concerns, please email me at: