The Massachusetts Attorney General’s Office and Belmont Savings Bank have agreed to resolve allegations that Belmont Savings Bank has violated the Commonwealth’s stringent data security regulations (see our post about 201 CMR 17.00 here) through an Assurance of Discontinuance, which has been filed in Massachusetts state court (see document here). Belmont Savings Bank has agreed to pay a civil penalty of $7,500 and has also agreed to institute new security and training procedures following a breach in May 2011, when an employee left a computer backup tape on a desk overnight, rather than in a storage vault. A surveillance camera showed that the backup tape was inadvertently discarded by the evening cleaning crew and, according to the Attorney General’s Office, was likely incinerated by the bank’s waste disposal company.
Amy Crafts
Application of New Massachusetts Data Security Regulations to Out-of-State Businesses
By Amy Crafts on
Massachusetts’s new data security regulations, effective as of March 1, 2010, currently set forth the country’s most stringent requirements for protecting data. Extending beyond what is required by other states, Massachusetts specifies that, for example, covered entities must implement a written information security program and must encrypt personal information that will be transmitted over the Internet, or that is kept on laptops and other portable devices. Massachusetts regulators and enforcement agencies would likely make the following three arguments that out of state entities must also comply with the new regulations.