So you’ve been heard about the Massachusetts data security regulations and want to know how they apply to REALTORS®.
In 2010, Massachusetts enacted comprehensive data security and protection regulations. The regulations apply to any person or business that collects, owns, or licenses personal information of a resident of the Commonwealth, including employees. Personal information includes a person’s first and last name in conjunction with their social security number, driver’s license number or state issued ID card number, or financial account number including credit or debit card numbers. Personal information does not include information that is lawfully obtained from publicly available information.
How REALTORS® can comply:
The statute and regulations require persons or businesses with personal information to develop a Written Information Security Program (WISP). The scope and complexity of the document will vary depending on the type of personal information you will keep and the resources you have available. The WISP must identify the measures that will be taken to safeguard both electronic and hardcopy files. For example, the regulations state that the WISP must specify “reasonable restrictions upon physical access to records containing personal information and storage of such records and data in locked facilities, storage areas or containers.” Additional information, including sample language for REALTORS® is posted on the Massachusetts Association of REALTORS® (MAR) website here: www.marealtor.com.
What sort of information in a real estate transaction would be considered personal?
It is important to recognize that in some real estate transactions no personal information may be collected by the broker. A common example of personal information would be a personal check from a buyer that includes a bank account number on the actual check. When the broker receives the check or a copy, this means that the broker has now collected personal information and needs to ensure that the information is protected in accordance with the regulations. By keeping the application in a locked file cabinet with limited access or redacting the personal information, the broker has taken one step to comply with the regulations. It is advised that all brokers review what information is taken from customers and clients, regardless of the type of transaction. Knowing in advance what information you collect will help you develop your WISP and remain in compliance. It is also important to review all forms and information that is collected from consumers to ensure that no unnecessary personal information is being collected.
Does your office have to meet the same requirements imposed on large investment banks and other major corporations?
No. The Commonwealth’s Office of Consumer Affairs adopted a “risk-based” approach that directs a business to establish a written security program that takes into account the particular business's size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security. This approach is especially important to those small businesses that do not handle or store large amounts of personal information.