Just in case you missed it, March 1 is the deadline for compliance with 201 CMR 17.00, the new Massachusetts data security regulations, and we published a client alert last week as a "reminder"... Privacy and Security Alert.
In addition to the top five "misapprehensions" about the applicability of the new regulations that we included in the Privacy and Security Alert, here are a couple of others:
"We are a [law][dental][medical] practice and have [patient][client] confidentiality obligations. The regulations do not apply to our activities."
Patient/client confidentiality obligations are separate and apart from the requirements of 201 CMR 17.00. The Data Security Regulations apply to any entity "in commerce" that owns, stores, licenses or maintains the personal information of Massachusetts residents. It is highly likely in the course of a medical practice that the practice would have at least patient name, address and social security number. Also, because a health insurance number entitles one to obtain benefits and could impose a financial burden on the individual in the wrong hands, such account number could also be "PI". Lawyers with trusts and estates practices, immigration practices and employment practices will certainly have some amount of PI in their files. Lawyers may have PI that is obtained in the course of conducting transactions (real estate closings, private placements, etc.), on certain tax forms to make payments, or on other types of transactional documents. All of these would come under the Data Security Regulations and a Plan must be developed for administrative, physical and technical safeguarding of the PI.
"We only have 5 employees. Isn't there an exemption for small companies?"
There is no "small company exemption" under the Data Security Regulations. If you are "in commerce," the requirements of 201 CMR 17.00 to safeguard PI apply to you. However, the Data Security Regulations also state that your Plan for safeguarding such PI may be commensurate with the size and resources of your business and the scope of the PI. If you do not have any PI other than that of your employees, and all of that is under lock and key in a single file cabinet, then your Plan can state exactly that. But, you must have a Plan.