"The state’s new identity theft regulations known more formally as “Standards for the Protection of Personal Information of Residents of the Commonwealth” went into effect on March 1... companies that violate the regulations face penalties including civil fines of up to $5,000 per violation, three times actual damages for individuals affected by identity theft, and the reasonable costs of the investigation and litigation, including attorneys’ fees. Costs of the investigation alone can be in the millions of dollars."
The article explains the types of sensitive personal information businesses of all sizes must protect:
"Personal information is defined as a Massachusetts resident’s first and last name or first initial and last name in combination with one or more of the following: (a) social security number; (b) driver’s license number or state-issued ID card number; or (c) financial account number, credit or debit card number, with or without passwords or PINs. For most small businesses such personal information is readily found in employee personnel files and 401(k) forms and sometimes customer files."
Businesses must develop:
"... a comprehensive written information security program (WISP) designed to (a) ensure the security and confidentiality of “personal information” of residents of Massachusetts; (b) protect against anticipated threats or hazards to the security of the information; and (c) protect against unauthorized access to or use of such information."
Records or files containing personal information must be encrypted if they are transmitted over public computer/Internet networks or over wireless networks. A company's WISP must also address the actions it takes to protect the sensitive personal information it shares with vendors and third-party suppliers.