Day: April 26, 2026

How to Approach Data Security Concerns — and Compliance

By Contributor
Law

Safety First

By John S. Gannon, Esq.

 

Workplace privacy and data security are growing concerns for employers as they contend with advanced cybersecurity and ransomware threats, instant transfers of sensitive personnel information, an abundance of employee and medical information that needs to be protected, and laws that protect employees from intrusions into their privacy.

Employees regularly provide their employers with sensitive personal information, such as health records, Social Security numbers, and tax and payroll information. Businesses that fail to implement adequate security measures to safeguard this information can be held liable if this data is compromised.

For example, although not an employment case, in 2022, T-Mobile agreed to pay $350 million to settle a class action lawsuit focused on a 2021 data breach impacting more than 76 million people. And in 2023, Whole Foods paid $300,000 to settle a class action lawsuit brought by employees who claimed the grocery giant unlawfully collected voice data from employees who worked at the company’s distribution centers.

John S. Gannon

John S. Gannon

“Employees regularly provide their employers with sensitive personal information, such as health records, Social Security numbers, and tax and payroll information. Businesses that fail to implement adequate security measures to safeguard this information can be held liable if this data is compromised.”

In Massachusetts, the state’s Data Security Law and Regulations set stringent standards for the protection of personal information of Massachusetts residents (including employees) and mandate compliance from businesses handling such data. The law and regulations establish minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. They are aimed at ensuring the security and confidentiality of sensitive data and protecting against unauthorized access to, or use of, such information that may result in substantial harm or inconvenience to any Massachusetts resident.

 

The WISP Requirement

Under the Massachusetts Data Security Law and Regulations, if your business (wherever it’s located) collects, stores, or uses personal information about a Massachusetts resident, the business is required to implement and maintain a comprehensive written information security program (WISP). This includes employers who collect personal information about their workforce, which virtually all of them do.

The WISP is required to include administrative, technical, and physical safeguards for protection of personal information (PI) about a resident of the Commonwealth of Massachusetts.

For the purposes of the WISP, PI means a Massachusetts’ resident’s first name (or initial) and last name, in combination with the resident’s Social Security number, driver’s license number or state-issued ID card number, or financial account number or credit/debit card number. According to the state regulations implementing the Massachusetts Data Security Law, a WISP must include:

• Designating one or more employees to maintain and supervise WISP implementation and performance;

• Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing PI;

• Evaluating and improving the effectiveness of the current safeguards for limiting security risks, including proper training of employees on the importance of data security and reviewing means for detecting and preventing security system failures;

• Developing security policies for employees relating to the storage, access, and transportation of records containing PI;

• Imposing disciplinary measures for violations of your WISP rules;

• Preventing terminated employees from accessing records containing PI;

• Taking reasonable steps to select and oversee third-party service providers who have access or your PI; and

• Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing PI.

We typically encourage employers to work with counsel when they are developing a written information security program, as it must be designed to address the businesses’ risk profile while considering compliance obligations under the Massachusetts Data Security Law and Regulations.

 

What to Do If You Experience a Data Breach

If your business experiences a data breach, having a compliant WISP in place — while helpful — is not enough to meet your obligations under the Massachusetts Data Security Law. If a business knows or has reason to know they have experienced a data breach, the business must promptly notify the state Attorney General’s Office as well as all affected employees with written notice.

The notice to the Attorney General’s Office must explain the nature of the security breach or unauthorized access or use of PI, the number of Massachusetts residents affected by such incident at the time of notification, the person responsible for the incident (if known), the type of PI compromised, and all the steps the business has taken or plans to take relating to the incident, including maintaining and updating the WISP.

As for the employee notice, that must include information regarding he resident’s right to obtain a police report; how the resident can request a credit freeze, the information a resident will need to request a credit freeze; and that there is no fee for requesting, temporarily lifting, or permanently removing a security freeze with any of the consumer reporting agencies.

When a breach occurs, we recommend working with those who are experienced in supervising and conducting a prompt and effective data breach response. This may involve interviewing employees, working with IT staff or external forensics investigators to determine the nature and extent of the breach, drafting and submitting required notices to affected individuals and the Massachusetts Attorney General’s Office, and revising policies and procedures to prevent future data breaches.

 

John Gannon is a partner with Skoler, Abbott & Presser, P.C., a Springfield-based law firm exclusively practicing labor and employment law for more than a half-century, focusing on litigation avoidance, employment litigation, and labor law and relations. He specializes in employment law and regularly counsels employers on compliance with state and federal laws; (413) 737-4753.

How to Reduce Massachusetts Estate Taxes for Married Couples

By Contributor
Law

A Matter of Trusts

By Gina M. Barry, Esq.

 

In Massachusetts, if you pass away owning assets worth more than $2 million, your estate will likely owe Massachusetts estate tax. Fortunately, given a relatively recent change in the law, Massachusetts estate tax would be paid only on the amount over $2 million, as opposed to on the entire estate.

Many people think that their estate is not valued at more than $2 million; however, it is very easy to reach this level of value when you consider that every asset you own is valued for estate tax purposes. The focus of this article is on how married couples can use trusts to minimize, or possibly eliminate, the Massachusetts estate tax that would be due without this planning.

Under Massachusetts law, for deaths in 2026, there is no estate tax due so long as the decedent’s estate is not valued at over $2 million. Moreover, there is no estate tax due when all assets are left to a surviving spouse, as there is an unlimited marital deduction that applies regardless of how much money one spouse leaves to another.

The potential trap is that, upon the second death, when the surviving spouse is holding the entire estate, their estate will likely be taxed at a larger percentage. This is because the $2 million Massachusetts estate tax exemption is not portable between spouses. When the second of the two spouses dies, their exemption is still only $2 million.

Gina M. Barry

Gina M. Barry

“Many people think that their estate is not valued at more than $2 million; however, it is very easy to reach this level of value when you consider that every asset you own is valued for estate tax purposes.”

A common estate planning technique to minimize, or possibly eliminate, Massachusetts estate tax is creating credit shelter trusts, which would allow both spouses to pass up to $2 million without paying estate tax.

As assets left outright to the surviving spouse would qualify for the marital deduction instead of using the estate tax exemption, it is necessary to use a system of trusts to cordon off the $2 million exempt from tax in Massachusetts from the surviving spouse’s direct and unfettered access.

Thus, the surviving spouse is forgoing control of the assets held in their deceased spouse’s trust to realize the goal of paying less or no estate tax when both spouses have passed away. Although the surviving spouse does not have unfettered access to the trust funds, they would have access according to the trust’s rules.

 

How It Works

Upon the passing of the first spouse to die, a subtrust will hold the $2 million exemption amount for Massachusetts purposes. With respect to the assets held in this trust, the income (money earned on trust assets) would automatically be distributed to the surviving spouse.

The surviving spouse may also be given an annual ‘5 and 5’ power that allows them to demand a distribution of 5% of the principal or $5,000, whichever is greater. In addition, should the surviving spouse require more monies to live in the manner they were accustomed to living when their spouse was alive, principal (trust assets) may be distributed at the trustee’s discretion.

A second subtrust, for Massachusetts purposes, will include the remainder of the estate, meaning any assets over and above $2 million. This trust will also provide the surviving spouse with all income and with principal distributed at the trustee’s discretion — and, again, the surviving spouse may be given the option to exercise a ‘5 and 5’ power as described above.

When the second spouse passes away, any monies in the first subtrust ($2 million), as well as any growth, will not be taxed in their estate. Thus, the trust has made these monies available to the surviving spouse for their needs without giving that spouse the direct ownership that would cause inclusion in their estate for estate tax purposes when they pass away.

As the surviving spouse will interact extensively with the trustee of the trust following the death of the first spouse, it is very important to choose a successor trustee that will get along with the surviving spouse. The successor trustee may be the surviving spouse, but it is highly recommended that there be a co-trustee serving along with them, such that the surviving spouse can be insulated from participating in making discretionary distributions of principal.

Very often, married couples choose to name their children as successor trustees to serve with or without the surviving spouse. When both spouses have died, the balance of the trust property would be distributed as set forth in the trust, usually outright to the married couple’s children or held in a continuing trust for their benefit.

 

Bottom Line

A credit shelter trust can also help to reduce or eliminate federal estate tax; however, for 2026 deaths, federal estate tax only impacts estates greater than $15 million. Couples with assets valued at $15 million or more would also want to explore additional planning opportunities that are beyond the scope of this article.

Any married couple wishing to take advantage of estate tax planning is encouraged to schedule an appointment with an attorney who works primarily in the area of estate planning. It is imperative that you plan now to avoid estate taxes later.

 

Gina M. Barry is a shareholder with the law firm Bacon Wilson, P.C. She is a member of the National Academy of Elder Law Attorneys, the Estate Planning Council, and the Western Massachusetts Elder Care Professionals Assoc. She concentrates her practice in the areas of estate and asset protection planning, probate administration, guardianships, conservatorships, and residential real estate; (413) 781-0560; [email protected]