Massachusetts businesses must do more to stop identity theft

credit_lockMany Massachusetts businesses will have to adopt new procedures to prevent the theft of sensitive customer information, as a result of new state regulations that take effect on May 1.

The new rules put Massachusetts in the forefront of protecting consumers' private data and preventing identity theft. However, they also create many new hurdles for some businesses at a time when those businesses are facing larger economic challenges.

The requirements are a response to the news that thieves stole some 45 million credit and debit card numbers from TJX Companies, the parent of the T.J. Maxx chain, back in 2007.

Under the rules, companies that hold personal information on Massachusetts residents are now required to:

• Establish a comprehensive information security program that uses up-to-date firewall protection;

• Inventory all systems that hold personal information; and

• Encrypt all data that are wirelessly transmitted, sent over the Internet, or saved on laptops or flash drives.

The regulations say that in deciding how far a company has to go to comply, it's necessary to take into account the size of the company, the resources it has available, and how much data it stores.