Letter of Introduction
IT / Network
Web Design & Marketing
201 CMR compliance planning
Penalties For Mass. Personal Information Law Violation - 201 CMR 17.00
- Up to $50,000 per improper disposal
- Maximum of $5,000 per violation
- The Massachusetts Attorney General can come after you
- Above penatlies don't include lost business, dealing with irate
customers, mailing out letters, and other associated costs
201 CMR 17.00 - Penalties and Fines
I've noticed in my research that the figures of $50,000 and $5,000 per
violation are bandied about quite a bit. I've attempted to track
down where these figures come from. Looks like I'll need an actual
lawyer to figure out what's what, but here are my findings to the best
of my knowledge:
General Law 93I
- $100 per person affected with a maximum cap of $50,000 for
each instance of improper data disposal.
- There is no definition of what an "instance" is, though. If
you send two unencrypted computers with sensitive information to
the curb at the same time, is that one instance of disposal or
Mass. General Law 93H
- Maximum $5,000 per violation, although it is not yet known
what "per violation" means, exactly. It could be based on, at
Per case, per person, or per file.
- So, if an unencrypted computer is lost, and it contains
two files with 50,000 personal data each, the maximum
penalty could be $5,000 (violation itself), $10,000 (two
files), or $250,000,000 (enough to bankrupt any company).
This clearly ties to the criticism that the laws are not as
clear as they could be.
General Law 93A
- Failure to comply with either 93H or 93I (or both) will
allow the Massachusetts AG to file suit with the company.
- Courts can order treble the damages if it's concluded that
there was a
or knowing violation. (Whatever that means, it doesn't sound
good. Treble of what damages, exactly?)
- Massachusetts residents may possibly
file suit as well, leading to fines of actual damages or
$25, whichever is greater.