Massachusetts Identity Theft Law

Note: The Winter 2010 Information Security Workshop Slides (PowerPoint)  are available for download.

In 2007, Massachusetts enacted a law to protect Massachusetts residents from identity theft. As a business operating in Massachusetts, the College is subject to this law.

MA OCABR ID Theft Web Site

Massachusetts isn’t the only state with such a law.  As of this writing, 39 states have some form of Identity Theft law, as do many foreign countries.  All of these laws protect the residents of their particular state or country and thus each can apply to members of the Williams community who live outside Massachusetts.

Protected Personal Information

The law (201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH) defines Personal Information that must be protected as follows:

A Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:

  • Social Security number (SSN)
  • driver’s license number or state-issued identification card number
  • financial account number, or credit or debit card number

Information in any format

Personal information as defined above must be protected in any form, whether paper or digital or other format.

Information at Rest

As of March 1, 2010, personal information as defined above must be encrypted when stored on any portable device such as a Laptop, Smart phone (iPhone, Blackberry, etc.), or portable hard drive such as a USB drive.

Information in Motion

As of March 1, 2010, personal information as defined above must be encrypted when transmitted over a public network such as the Internet, including e-mail.

Security Breach Notification Requirement

If a breach or possible breach occurs:

Business must notify

  • MA Office of Consumer Affairs and Business Regulation
  • The Massachusetts Attorney General
  • The individual(s) whose information is at risk

The notification to individuals must include:

  • Steps that have been taken or are planned to deal with the breach
  • Consumers’ right to obtain a police report
  • Instructions for requesting a credit report security freeze

The notification to individuals may not include:

  • The date of the breach
  • The number of MA residents affected
    If you suspect a data breach may have occurred, talk to your supervisor or contact OIT for assistance.

Ways to Minimize the Risk of ID Theft

  • Do not send any protected information by e-mail unless you encrypt it first
  • If you receive an e-mail containing protected information, delete it as soon as possible
  • Don’t ask for or provide an SSN unless it’s absolutely necessary
    Note: All students, faculty, and staff have a unique 7-digit WMS ID.
    This ID is not protected by law and in most cases can be used instead of an SSN for on-campus business.
  • If you have a laptop computer, consider having its hard drive encrypted by OIT