Enforcement of the Massachusetts Data Privacy Law

It’s been almost 18 months since the Massachusetts Data Privacy Law went into effect. Belmont Savings Bank has become one of the first charged with violating the law.

Belmont Savings Bank maintained personal information on an unencrypted backup data tape and then lost the tape. According to surveillance footage the tape was likely discarded inadvertently by the overnight clearing crew and sent to the incinerator.

There were several rounds of changes between the first version of 201 CMR 17.00 and the final one. One central element was the requirement that there be written information security plan in place if your company has “personal information” on a Massachusetts resident. Obviously, you need to comply with the plan.

In this case, Belmont Savings Bank has the plan. But they failed to comply with it. The data tape should have been locked-up overnight and not left on a desk.

The Massachusetts’ Attorney General entered into an Assurance of Discontinuance with Belmont Savings Bank. As part of the settlement, the bank has to

  • encryp, to the extent technically feasible, all personal information stored on backup data tapes
  • store backup data tapes containing personal information in a secure location
  • effectively train its workforce on the policies and procedures with respect to maintaining the security of personal information

There is no evidence indicating that any customer’s personal information has been acquired or used by an unauthorized person or used for an unauthorized purpose. The Assurance of Discontinuance states that if actual harm to customers results, the Attorney General’s Office will reopen discussions to determine appropriate restitution.