Thursday, March 18, 2010

New Privacy Legislation For Companies with Clients in Massachusetts

I received the following notice of a new law regarding private information contained on any residents of the state of Massachusetts. This information must be secured in manners outlined by the law. If not, and the information is leaked or exposed, then companies can be liable for suit from the Massachusetts Attorney General. Customers, whose information was exposed, can also use violation of the law as further basis for their violation of privacy suit.

L
iability from exposure of private information is NOT covered by a General Liability policy. Specialized coverage must be secured through a Cyber Liability policy - or possibly endorsed onto an Errors & Omissions (E&O) or Directors & Officers (D&O) policy.

Thanks to the specialists at Professional Risk Solutions (http://www.prsbrokers.com/) for sending this information out to agents.

More states might follow suit in the future.


New Massachusetts ‘Personal Information and Privacy’ Law: 201 CMR 17.00


Effective March 1, 2010


This affects:

Any company who maintains private, personal or confidential information on residents of Massachusetts. Confidential information includes financial, medical, credit, SSN, driver’s license, insurance policy numbers, and the like. Banks, leasing companies, insurance companies, brokerages, mortgage companies, credit companies, online retailers, utilities, medical firms could all be affected by the new law.


Our recommendation:

For any company that maintains records on residents of Massachusetts, we urge you to review:

· data security procedures and practices to make sure they comply with the new law

· the Massachusetts compliance checklist

· insurance coverages and limits, including Cyber Liability and D&O


What the law says

Starting March 1, the new law requires that any company that holds personal information on Massachusetts residents, must abide by certain standards and practices to protect and store that information, and prevent it from ‘leaking out’ or being exposed to unauthorized persons.


The law apparently applies independently of other data security regulations. So even if a company complies with HIPAA regulations, for example, the new Massachusetts requirements still apply.


It doesn’t matter whether the company or organization is based in Massachusetts or not - - only that they hold personal or private information on residents of Massachusetts.


What’s the insurance and liability issue
?

If a company failed to follow these established standards and security practices -- and customer records were ever exposed, whether maliciously or accidentally -- the company could possible be liable for action by the Massachusetts Attorney General. Or, consumers whose records or information were compromised could sue for damages. Having a stringent law ‘on the books’ about safeguards could conceivably strengthen their cases.


Kathleen O. Zortman

President

Professional Risk Solutions

1 comment: