Consumer and privacy advocates heralded Massachusetts for the March passage of the nation’s strictest law yet on data security. But in the months since, many of those charged with carrying out the law – including condominiums and property management firms – have struggled with its many requirements.
Experts familiar with the law are strongly advising condominium association boards and management companies to take steps to comply with it, and understand their potential liability.
The law, known as 201 CMR 17.00,can be read in full on the Office of Consumer Affairs and Business Regulation website (http://www.mass. gov/Eoca/docs/idtheft/201CMR1700reg.pdf).
Basically, it places stringent data security obligations on any organization that collects, uses, stores, transmits, or disposes of personal information (PI) about a Massachusetts resident. The law applies to entities outside the stateas well, like a border state property management firm with Massachusetts portfolios.
PIs include a person’s full name (or last name plus first initial), and numbers such as Social Security, bank account, credit or debit card, driver’s license, PIN, or a code that would enable an unauthorized person to gain access to those accounts. (For condo associations, this information could be found on checks for condo fees or on forms that unit owners fill out for automatic withdrawal of those fees.)