BOSTON (2/12/10)--A new Massachusetts data protection regulation that goes into effect March 1 impacts all credit unions doing business in the state, said the Massachusetts Credit Union League. The regulation, 201 CMR 17.00, is designed to ensure the security and integrity of personal information for all Massachusetts residents and to combat the threat of identity theft. It establishes standards for storing and protecting consumer data and employee data ( Feb. 10). The regulation also:
* Defines “personal information”; * Mandates the designation of a data security coordinator; * Requires the development of a written information security plan that outlines administrative, technical and physical safeguards to protect personal information; and * Extends its protections to personal information that is shared with third parties.
Each credit union needs to identify its paper, electronic and other records, computing systems and storage media--including laptops and portable devices--that contain personal information, said the league. It also must develop procedures to include how one retains and destroys personal information data and records and for the ongoing monitoring of this information. Credit unions already comply with many features of this regulation that protect consumer personal financial information through the Gramm-Leach-Bliley Act and the National Credit Union Administration’s Rules and Regulations, Part 748. However, the new data security regulation does pose additional requirements for credit unions and extends data protection to employee and former employee records, said the league. The regulation also requires due diligence to ensure that third parties with access to the personal data of credit union members or employees comply with the new regulation.