For Immediate Release - March 01, 2010

Patrick-Murray Administration's Identity Theft Protection Rules Take Effect Today

New regulations add layer of protection to residents' information; call for written security plan from holders of data

BOSTON - Consumers in Massachusetts will gain a new layer of protection on their personal information starting today, when new data security regulations created by the Patrick-Murray Administration go into effect.

The regulations, written by the Administration's Office of Consumer Affairs and Business Regulation, mandate any business or entity storing or transmitting personal information of a Massachusetts resident create a written security plan that details how that information will be protected from theft or loss. Personal information is defined as the combination of a consumer's name along with information like Social Security number, or bank or credit card account numbers.

"Consumers should feel confident that their personal information is protected, and not exposed to loss or theft," said Governor Deval Patrick. "These regulations improve the safety of personal information, while giving businesses the flexibility to secure that information without undue burden."

"In two years, over one million pieces of information belonging to Massachusetts residents were lost or stolen, creating stress, worry and financial inconveniences for consumers," said Barbara Anthony, the Undersecretary of the Office of Consumer Affairs and Business Regulation. "The rules taking effect March 1 will make it less likely that personal information is exposed, and create another layer of protection for consumers."

The regulations are part of the identity theft law signed by Governor Deval Patrick and balance consumer protections with the needs of small business owners. The regulations make clear that the approach to data security is a risk-based approach - which is especially important to small businesses that may not handle a lot of personal information about customers or employees. Under this risk-based approach, a business developing a written security program should take into account its size, nature of business, the kinds of records it maintains and the risk of identity theft posed by its operations.

"I don't think there is anybody more concerned about protecting personal information than small businesses," said Bill Vernon, the Massachusetts Director of the National Federation of Independent Businesses. "Like other consumers, small business owners want the personal information of their customers, their workers, and their family members protected. These amended regulations offer well thought-out, flexible safeguards for both the consuming public and businesses at a reasonable cost for most businesses."

"Plymouth Rock takes the protection of personal information very seriously. We're pleased that Massachusetts is taking the lead nationally in issuing these new regulations. Their new security measures will help businesses like ours provide even better protection for sensitive personal information," said Paula Gold, Vice President of Regulatory Affairs for Plymouth Rock Assurance Corporation.

"Associated Industries of Massachusetts believes that the final data security regulations promulgated by the Commonwealth's Office of Consumer Affairs and Business Regulations fulfill the legislative intent to ensure that holders of personal information on employees and customers take appropriate actions to prevent identify theft. We thank Governor Deval Patrick, Undersecretary Barbara Anthony, and her staff, along with Attorney General Martha Coakley, Representative Michael Rodrigues and Senator Michael Morrissey, for working with the employer community to develop an effective and practicable set of regulations. AIM urges all state agencies charged with implementing and enforcing these regulations to pursue a collaborative and educational posture toward the regulated community, especially small businesses, to enhance compliance and increase awareness." said Bradley A. MacDougall, Associate Vice President for Government Affairs at AIM.

Since the regulations' final draft was unveiled in August 2009, the Office of Consumer Affairs and Business Regulation has participated in about 30 seminars or meetings, talking about the rules with representatives of more than 1,500 businesses.

"What these regulations do is help create a culture of security," Anthony said. "Consumers have a higher level of trust with a business when they know their personal information is being protected."

For more information on the data security regulations, visit www.mass.gov/consumer .