Safety First
How to Approach Data Security Concerns — and Compliance
BY JOHN S. GANNON, ESQ.
Workplace privacy and data security are growing concerns for
employers as they contend with advanced cybersecurity and ran-
somware threats, instant transfers of sensitive personnel infor-
mation, an abundance of employee and medical information that needs to
be protected, and laws that protect employees from intrusions into their
privacy.
Employees regularly provide their employers with sensitive personal
information, such as health records, Social Security numbers, and tax and
payroll information. Businesses that fail to implement adequate security
measures to safeguard this information can be held liable if this data is
compromised.
For example, although not an employment case, in 2022, T-Mobile
agreed to pay $350 million to settle a class action lawsuit focused on a
2021 data breach impacting more than 76 million people. And in 2023,
Whole Foods paid $300,000 to settle a class action lawsuit brought by
employees who claimed the grocery giant unlawfully collected voice data
from employees who worked at the company’s distribution centers.
In Massachusetts, the state’s Data Security Law and Regulations set
stringent standards for the protection of personal information of Massachu-
setts residents (including employees) and mandate compliance from busi-
nesses handling such data. The law and regulations establish minimum
standards to be met in connection with the safeguarding of personal infor-
mation contained in both paper and electronic records. They are aimed at
ensuring the security and confidentiality of sensitive data and protecting
against unauthorized access to, or use of, such information that may result
in substantial harm or inconvenience to any Massachusetts resident.
“Employees regularly provide their employers
with sensitive personal information, such as
health records, Social Security numbers, and
tax and payroll information. Businesses that
fail to implement adequate security measures
to safeguard this information can be held lia-
ble if this data is compromised.”
The WISP Requirement
Under the Massachusetts Data Security Law and Regulations, if your
business (wherever it’s located) collects, stores, or uses personal informa-
tion about a Massachusetts resident, the business is required to imple-
ment and maintain a comprehensive written information security program
(WISP). This includes employers who collect personal information about
their workforce, which virtually all of them do.
The WISP is required to include administrative, technical, and physical
safeguards for protection of personal information (PI) about a resident of
the Commonwealth of Massachusetts.
For the purposes of the WISP, PI means a Massachusetts’ resident’s
The Lawyer for the Employer
Offering Fractional General Counsel Services
Reasonably priced, labor, employment and business law, and
business consulting services adding value to your company
Call Tanzi Cannon-Eckerle today!
413-369-9225 / [email protected] / gcbycannon.com
CAREER
OPPORTUNITY
Stay Up To Date With The
Latest Healthcare News
HEALTHCARE DAILY
BUILDING MAINTENANCE WORKER
Perform routine building
maintenance and work
Mail resume:
Gladstone Care and Rehabilitation
435 E. Gladstone Street
Glendora, CA 91740
Attn: A. Brion
H E A L T H C A R E N E W S . C O M
SUBSCRIBE TODAY!
26 << LAW >>
APRIL 27, 2026
Business W est