New Massachusetts Regulations Impose Substantial Obligations on Human Resources Departments to Safeguard Employees' Personal Information

Posted on October 23, 2008 by Philip Gordon

New Massachusetts regulations, effective January 1, 2009, are a clarion call for corporate human resources departments to join the war on identity theft. The regulations mandate the development and implementation of a "written, comprehensive information security program" to safeguard the information of Massachusetts employees and consumers. Such a program rarely will be fully effective without the involvement of human resources professionals and in-house employment counsel.

While these regulations apply only to organizations with Massachusetts employees, even employers without a Massachusetts presence should consider implementing a similar program. These regulations likely will be a model for other jurisdictions and could become the standard against which all information security programs are measured. Continue reading. . .

Tags: , , , , , ,

Connecticut Becomes Only the Second State to Mandate an Employee Data Protection Policy

Posted on June 23, 2008 by Philip Gordon

With the State of Connecticut reeling from a series of massive security breaches that have exposed the personal information of hundreds of thousands of state residents, Connecticut's Governor and General Assembly joined forces in mid-June to make Connecticut only the second state (after Michigan) to mandate that private employers publish a policy on the protection of employee Social Security numbers (SSNs). The new Connecticut law — entitled, "An Act Concerning the Confidentiality of Social Security Numbers" (the "Act"), and effective October 1, 2008 — also imposes on private employers a statutory duty to safeguard, and properly dispose of, personal information more broadly defined. Continue reading. . .

Tags: , , , , , , ,

New Oregon Law Imposes Most Stringent Information Security Standards Yet On Employers

Posted on August 13, 2007 by Philip Gordon

An Oregon law, signed by Governor Ted Kulongoski in mid-July and effective January 1, 2008, establishes the strictest information security requirements imposed by any state law to date. This new law is especially significant for multi-state employers, as the statute applies to any business which maintains the “personal information” of an Oregon resident regardless of the size of the company’s presence in Oregon. Personal information is defined to include precisely the type of information which all employers maintain about every employee, i.e., first name or initial and last name plus social security number, driver’s license number, or financial account number.

The Oregon law requires employers who maintain personal information on Oregon residents to do the following:

  • Designate a security officer
  • Conduct a risk assessment
  • Assess the safeguards in place to manage the risks
  • Train employees in security policies and procedures
  • Require by contract that service providers maintain adequate security (note the connection to the trend discussed above)
  • Adjust the security program over time to meet changing circumstances
  • Implement adequate physical and technical safeguards
  • Properly dispose of personal information

While Oregon may be one of the less populous states, state legislators appear to be engaging in “one-upmanship” as they enact new data protection statutes. Employers can expect other states to attempt to match or exceed Oregon’s legislation. Consequently, employers can expect that, in the near future, they will need to take a closer look at their information security practices for employee data and take steps to better safeguard that information not as some extra effort but simply to be in compliance with newly enacted state data protection legislation.

Tags: , , , , ,