Personal Data Law Makes Businesses Shy

Last month in Massachusetts, a new law went into effect that was passed back in 2007.  The law says that all businesses that have personal data on MA residents need to have a written data security plan in place.  An article on BusinessInsurance.com reports, “Massachusetts passed the law in response to data breaches by retailers, including Framingham, Mass.-based TJX Cos. Inc., which revealed in 2007 that hackers had obtained millions of its customers’ credit and debit card and driver’s license information.”

Previously, and in other states, what would happen is that once there was a data breach, then a company would have to take steps to correct the situation.  This new law is more preemptive in nature, aiming to protect MA residents before they are victimized.  Makes sense.  However, it has the potential to cause huge legal problems for companies who are not in compliance.   The law allows for a $5000 fine for businesses who are not prepared, but the law is unclear about whether that fine is per incident or per client who is victimized.