All real estate professionals may not yet be aware that they must comply with G.L.c. 93H, the new Massachusetts law that takes effect on March 1, 2010. The new law establishes minimum standards for private businesses in safeguarding Massachusetts residents’ personal information in paper and electronic records. If an individual or business holds such personal information regarding a Massachusetts resident, the requirement will apply even if the individual or business has no facilities or personnel in Massachusetts.
“WISP” is the acronym for the words “written information security program.” Having a WISP to protect personal information is required under G.L.c. 93H and 201 CMR 17.00, et seq., and must be in place no later than March 1, 2010. Under the new Massachusetts law and regulationsĀ , every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.
The law further states that such comprehensive information security program shall be reasonably consistent with industry standards, and shall contain administrative, technical, and physical safeguards to ensure the security and confidentiality of such records. Moreover, the safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns, licenses, stores or maintains such information may be regulated. (201 CMR 17.03)
“Personal information” is defined as a “Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account…’Personal information’ shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public…” such as records that might be obtained from the Registry of Deeds or Public Assessor’s Records. (201 CMR 17.02)
All real estate professionals should be aware of the new law and have WISP protocols in place by the March 1, 2010 deadline.
For a copy of the regulation please visit: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
