in

This Blog

Syndication

Tags

AlertBoot Endpoint Security

Penalties For Mass. Personal Information Law Violation - 201 CMR 17.00

  • Up to $50,000 per improper disposal
  • Maximum of $5,000 per violation
  • The Massachusetts Attorney General can come after you
  • Above penatlies don't include lost business, dealing with irate customers, mailing out letters, and other associated costs

What are the financial ramifications of violating Massachusetts 201 CMR 17.00?  You may be familiar with some of the aspects of this law, dubbed the "Massachusetts Encryption Law" by many (although, it goes far beyond the encryption of computers via the use of laptop encryption software such as AlertBoot endpoint security systems).  Supposedly, the new law has more "teeth" than other state laws regarding personal information privacy because it allows for monetary fines.

So, the natural question is how much?  Nobody knows yet because it has to be tested, although the law gives us a clear idea of the potential damages.

201 CMR 17.00 - Penalties and Fines

I've noticed in my research that the figures of $50,000 and $5,000 per violation are bandied about quite a bit.  I've attempted to track down where these figures come from.  Looks like I'll need an actual lawyer to figure out what's what, but here are my findings to the best of my knowledge:

    • $100 per person affected with a maximum cap of $50,000 for each instance of improper data disposal.
    • There is no definition of what an "instance" is, though.  If you send two unencrypted computers with sensitive information to the curb at the same time, is that one instance of disposal or two?
    • Maximum $5,000 per violation, although it is not yet known what "per violation" means, exactly.  It could be based on, at least:
      • So, if an unencrypted computer is lost, and it contains two files with 50,000 personal data each, the maximum penalty could be $5,000 (violation itself), $10,000 (two files), or $250,000,000 (enough to bankrupt any company).  This clearly ties to the criticism that the laws are not as clear as they could be.
    • Failure to comply with either 93H or 93I (or both) will allow the Massachusetts AG to file suit with the company.
    • Courts can order treble the damages if it's concluded that there was a willful or knowing violation. (Whatever that means, it doesn't sound good.  Treble of what damages, exactly?)
    • Massachusetts residents may possibly file suit as well, leading to fines of actual damages or $25, whichever is greater.

All of the above is in addition to the other costs of a data breach: mailing letters alerting of the breach, lost revenue, setting up call centers, etc.  Sounds like signing up for encryption services like AlertBoot might be a smart move.

Published Jan 21 2009, 01:57 AM by sang_lee
Filed under: , , , , , , , , , , , , , , , , , ,
<Previous Next>

Data Encryption Software: UK Government Departments Deny Weak Data Security

An Overstatement: Heartland Payment Systems And The 100 Million Figure

Comments

AlertBoot Endpoint Security said:

Updated: February 2, 2009 By now, most businesses in Massachusetts are aware that the Office of Consumer

February 2, 2009 3:52 AM
 

AlertBoot Endpoint Security said:

All deadlines for compliance with the Massachusetts data protection law, 201 CMR 17.00, have been extended

February 17, 2009 3:00 PM
 

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.