Massachusetts Company Fined $15,000 Under State’s Data Security Law

By Joseph J. Lazzarotti on April 10, 2012

Posted in Data Security, Identity Theft, Information Management, Information Risk, Written Information Security Program

As yet another example of the Massachusetts Attorney General enforcing compliance with the Commonwealth’s data privacy and security laws, that office recently reached a $15,000 settlement in an enforcement action involving Maloney Properties, Inc. (MPI), a property management company based in Massachusetts.

In the lawsuit, the AG alleged that MPI’s policies and procedures failed to adequately protect its customers’ personal information when an MPI employee stored the unencrypted personal information of 621 Massachusetts residents on a company laptop, left the laptop in a personal vehicle overnight, and the laptop was then stolen.

Although there was no indication that any of the personal information on the laptop was acquired or used by an unauthorized person or for an unauthorized purpose, the AG still required MPI to pay a monetary penalty of $15,000 and agree to take certain steps before ending its action against the company.

Some of the steps MPI agreed to take include complying with the Commonwealth’s regulations – including the requirement to encrypt personal information on portable devices, to the extent technically feasible. This also includes encrypting personal information on company-owned portable devices, ensuring that the devices are kept in secure locations, purging personal information when it’s not needed anymore, training its employees at least annually on encryption and proper storage, and performing an annual audit of its compliance with its Written Information Security Program (WISP). In addition, the company must submit the results of its 2012 and 2013 annual WISP audits to the AG’s Office.

The AG’s actions in this matter demonstrate that it does not take lightly the loss of Massachusetts residents’ personal information, even if that loss has not caused any known harm to the affected residents, and that it may remain watchful over the subject of an investigation for years to come. This provides a timely reminder for all companies of the importance of understanding and complying with the Commonwealth’s requirements in this area.

Workplace Privacy, Data Management & Security Report

Massachusetts Company Fined $15,000 Under State’s Data Security Law

Jackson Lewis

About Jackson Lewis