The new standards for disposing of records containing personal information, which became effective earlier this year, establish important new practices for all persons, including employers, who dispose of records containing personal information relating to Massachusetts residents. Chapter 93I’s requirements apply regardless of where the employer is located. Thus a New York employer, for example, who disposes of records of an employee, who is a Massachusetts resident, must comply with the new standards.
The Chapter 93I standards are meant to help prevent, or at least limit, the harms suffered by victims of identity theft. Personal information is defined as a person’s first and last name or first initial and last name, in combination with one of the following: a social security number, driver’s license number, Massachusetts identification card number, financial account number, credit or debit card number, or biometric indicator.
Personal information, as defined under Chapter 93I, can be found in a variety of places within a business or agency, such as employment records, credit records, financial information, state and federal filings with regulators, IT database systems, and records within the legal counsel’s office. For example, if a business or agency uses direct deposit to pay its employees, it has records containing personal information that must be destroyed pursuant to Chapter 93I.
Paper documents containing personal information must be “redacted, burned, pulverized or shredded so that personal data cannot practically be read or reconstructed.” Electronic media and other non-paper media containing personal information must be “destroyed or erased so that personal information cannot practically be read or reconstructed.” This process generally requires rewriting over the space on the storage media where the records formerly existed.
Third parties may be contracted to dispose of these records, but those third parties must comply with the policies and procedures that prohibit unauthorized access to, acquisition of, or use of personal information during the collection, transportation and disposal of personal information.
Note that under the law, which became effective February 3, 2008, there is no requirement that the personal information be used in commerce, that the person holding the information has any other contact to Massachusetts, or even that a person disposing of personal information have any knowledge that the records contain personal information. Failure to comply with these standards can result in a civil fine of up to $100 per data subject, with the maximum fine being $50,000 for each instance of improper disposal. Therefore, it is important that any person or agency holding personal information relating to Massachusetts residents ensures that its destruction procedures comply with these new standards.
To protect itself, a business or agency should inventory all records containing personal information and insure that those records are properly destroyed. Additionally, all organizations should conduct training sessions with employees, including executives, about their data security policies and about how to properly dispose of personal information.
This advisory was prepared by Kathryn K. Conde of Nutter’s Data Security Breach and Privacy Law practice group. For further information, please contact Kathryn, David or your Nutter attorney at 617-439-2000.This update is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.