In an extension of the spate of litigation surrounding California’s Song-Beverly Credit Card Act and other laws like it, the U.S. District Court for the District of Massachusetts in Tyler v. Michaels Stores, Inc., Civ. No. 11-10920-WGY (D. Mass. Jan. 6, 2012), followed the California Supreme Court’s lead in ruling that ZIP codes are “personal identification information” within the meaning of Mass. Gen. Laws, ch. 93, § 105(a). The court nonetheless dismissed the plaintiff’s putative class action because she failed to allege any legally cognizable harm as a result of Michaels’ collection of her ZIP code in connection with a credit card transaction. Retailers who were unhappy with the California Supreme Court’s opinion in Pineda probably will not be any more pleased with the court’s ZIP code reasoning here. But the result? You bet!

On August 25, 2011, the Massachusetts Appeals Court, in a case of first impression, ruled that the state crime lab’s retention of an individual’s DNA sample beyond the limitations promised to him by the police when they took the voluntary sample state a claim for invasion of privacy, and for violation of the state’s Fair Information Practices Act (“FIPA”). The case, Amato v. District Attorney, No. 10-P-354 (Mass. Ct. App. Aug. 25, 2011), is a significant win for privacy advocates and the Firm. Proskauer partner Mark Batten and former associate Sandra Badin handled the matter with assistance from the Firm’s pro bono partner, the ACLU.

The Massachusetts Attorney General’s Office and Belmont Savings Bank have agreed to resolve allegations that Belmont Savings Bank has violated the Commonwealth’s stringent data security regulations (see our post about 201 CMR 17.00 here) through an Assurance of Discontinuance, which has been filed in Massachusetts state court (see document here). Belmont Savings Bank has agreed to pay a civil penalty of $7,500 and has also agreed to institute new security and training procedures following a breach in May 2011, when an employee left a computer backup tape on a desk overnight, rather than in a storage vault. A surveillance camera showed that the backup tape was inadvertently discarded by the evening cleaning crew and, according to the Attorney General’s Office, was likely incinerated by the bank’s waste disposal company.

On March 28, 2011, the Massachusetts Superior Court issued a Final Judgment by Consent between the Commonwealth and Briar Group, LLC that resolves allegations that Briar Group failed to take measures to protect consumer credit and debit card information. Pursuant to the Final Judgment, Briar Group must pay $110,000 to the Commonwealth, establish a written information security program (“WISP”), and implement a number of other information security measures to help protect customer data.

As we’ve discussed in prior posts, newly effective regulations promulgated under Massachusetts’ recent data security law, Mass. Gen. Law ch. 93H, have raised the bar for data security compliance, and they have a long reach.  The regulations are national and international in scope, as they apply to all companies –

Undersecretary Barbara Anthony, of the Massachusetts Office of Consumer Affairs and Business Regulation, announced today revisions to Massachusetts’ data security regulations, as well as an extension of the applicable compliance deadline from January 1, 2010 to March 1, 2010.  (Previous to an earlier extension, the compliance deadline was May 1, 2009.)

The revised regulations emphasize their “risk-based” approach, enabling persons covered by the regulations to tailor their information security programs to their size, scope, type of business, resources, amount of personal information, and need.  These changes were primarily intended to ease the burden of the regulations on small businesses that may not handle a significant amount of personal information, or may not have the resources to develop a sophisticated security program.  That said, the changes apply to all business, not just small businesses.

Businesses holding personal information of Massachusetts residents have at least one thing to be thankful for this holiday season.  As reported here, Massachusetts earlier this year established strict standards for protection of personal information about Massachusetts residents. Those standards include encryption of electronic data when stored or transmitted and