The regulations define personal information as a Massachusetts resident's first name or initial and last name in addition to one or more of the following pieces of data: Social Security number, driver's license or state-issued identification number, and account or credit-debit card number.

To protect the data, the regulation spells out requirements for a range of technology and data management steps.

These range from a "reasonably secure" method of assigning passwords or using "unique identifier technologies," such as biometrics or token device to detailed description of encryption methodology.

Credit unions have to encrypt documents transmitted over the Internet, or saved on laptops or flash drives. Also, they must have "reasonably up-to-date firewall protection" and "operating system security patches."

They must also have updated security agent software, which provides validation of user identity before it allows network access. This must include protections against malicious software and also must contain virus definitions and operating system security patches.

The credit union must review the security systems in place at least annually or more often if there is a "material change in business practices that may reasonably implicate the security and integrity" of the records.

Also, if there are data breaches, the credit union must document any action it takes to remedy the individual situation and the broader security policy.

Credit unions must perform due diligence to ensure that third parties with access to member data comply with the regulation.

The penalties for noncompliance can be stiff. Violators can be levied a $5,000 civil penalty and may be forced to pay investigation and litigation costs. Also, if a company improperly disposes of data, it can be fined up to $50,000.

To comply with these technological requirements, a credit union can purchase software aimed at securing the data. One such product is the Biscom Delivery Server, a secure file transfer application.

–[email protected]