News
December 15, 2008
Updated information about the below regulations can be found in the article "Commonwealth's Privacy Regulations Revised and Simplified".
COMPLIANCE DEADLINE: May 1, 2009
Just over a year ago, in response to several well-publicized breaches of confidential customer financial information, the Massachusetts Legislature passed a well-intentioned and straightforward law intended to “safeguard the personal information of residents of the commonwealth.” Mass. G.L. c. 93H. Fulfilling its charge to promulgate regulations implementing the new law, the Office of Consumer Affairs and Business Regulation (the “OCABR”) recently published extensive requirements for every person or business which “own[s], license[s], store[s] or maintain[s]” personal information of a resident of the Commonwealth to achieve the mandated protections. The breadth, cost and implementation timetable for these regulations, found at 201 C.M.R. 17.00 et seq., has caused a backlash from affected businesses.
In the short term, to ease the predicted strain on businesses, the OCABR has postponed the deadlines for compliance from January 1, 2009 to May 1, 2009 (and in some cases, to January 1, 2010), but many businesses will still be hard-pressed to timely comply, especially given the added costs most will incur to revamp information technology policies and software. Notably, neither the law nor the regulations contain any exemption or opt-out for any category or size of business (which may be as small as a single person’s sole proprietorship). However, both the law and regulations recognize that the “size, scope and type of business” as well as the volume of personal data handled by a particular business will be taken into account when evaluating compliance with the regulations. All businesses, including those outside of Massachusetts, are subject to these regulations when they hold personal information of residents of the Commonwealth.
What is Protected:
Personal information is specifically defined as a resident’s first name or initial along with his or her last name plus one or more of the resident’s 1) social security number, 2) driver’s license number or state identification card number, 3) financial account number, credit card number, with or without personal i.d. number or password.
If any of the foregoing information is lawfully available to the general public, it is not considered personal information under the statute and regulations.
How Personal Information Must Be Protected:
Generally, each business must create a written information security program (“WISP”) that sets forth the components of their privacy plan “applicable to any records containing . . . personal information” and customized to their business. The regulations recognize two levels of protection, one generally applicable to all records with personal information and a second level applicable to personal information on computer and other electronic devices.
General Protections for All Personal Information:
Every WISP must contain provisions for:
1) Designating one or more employees to maintain the security program;
2) Placing limits on collection of personal information, on the length of time it is retained, and to the persons allowed access to the information to “that reasonably necessary to accomplish the legitimate purpose for which it is collected” or to comply with state and federal retention requirements;
3) Identifying all records and places personal information is stored within the business, unless all information will be treated as personal information;
4) Providing, in writing, reasonable restrictions on physical access to personal information and storage of such information in locked areas or containers;
5) Assessing the risk of disclosure of personal information in all records that the business holds, including an assessment of existing safeguards (for example, employee training, compliance with security policies, how breaches of security are prevented/detected);
6) Identifying security policies for employees (for example, use and transport of personal information outside the business, discipline for violations of policy, and cutting off access to information immediately upon termination of employment);
7) Verifying that third-party vendors with access to personal information comply with the regulations, including revising contracts requiring vendors to maintain security safeguards. Effective January 1, 2010, a business must ask each third-party vendor for a certification that it has a WISP which complies with the regulations;
8) Including procedures for regular monitoring and upgrading of security measures;
9) Requiring at least annual review of security procedures or review whenever the business undergoes a material change in practices implicating records containing personal information; and,
10) Outlining procedures for documenting any breach of security, mandatory post-breach review of events and remedial measures to protect personal information.
Protections for Personal Information in Electronic Form:
When a person or business “electronically stores or transmits” personal information, the WISP must include security procedures covering computers and wireless systems, such as:
1) Secure user authentication protocols to a) control user ids, methods of assigning and selecting passwords or other unique access technologies b) restrict access to active users and active accounts and c) block access after multiple unsuccessful attempts to access the system;
2) Restrictions on access to records with personal information to only those employees with a “need to know” and assignment of user id plus passwords to access the secure system;
3) Encrypting all transmitted records with personal information that will travel on public networks or by wireless transmissions;
4) Monitoring electronic systems for unauthorized use;
5) Encrypting all personal information on laptops and other portable devices (effective January 1, 2010);
6) State-of-the-art firewall, malware and security software as well as OS security patches that are regularly updated; and,
7) Employee training and education on security of electronic personal information.
Disclosure of a Breach:
Disclosure obligations under the statute are triggered whenever a person or business becomes aware of a security breach or that personal information was acquired or used by an unauthorized person or for an unauthorized purpose. A security breach is broadly defined as the unauthorized use or acquisition of encrypted data containing personal information with enough information about the security process to create a substantial risk of identity theft or fraud against a resident. If the person or business merely stores or maintains personal information, it must timely disclose the breach to the owner or licensor and provide required information about the breach as well as cooperate with the owner/licensor. An owner or licensor of personal information must provide notice of any breach to affected residents, the Attorney General of the Commonwealth and the director of OCABR. The statute describes the information that must be provided about the breach.
Enforcement:
Enforcement is relegated to the Attorney General’s Office, which may seek injunctive relief as well as penalties. The Attorney General’s office has not yet issued any guidance about its enforcement of the law or regulations.
Bottom Line:
Almost all businesses will be subject to the new regulations as the most basic personnel information for employees is, by definition, personal information. However, many businesses subject to these regulations already take some, if not all, of the foregoing measures to protect personal information, as well as other information considered confidential or proprietary to its business, whether dictated by law (in which case, these entities may already be close to compliant) or by industry standard. However, most will need to re-examine current protections and practices, if not start from square one, to create a WISP that includes the key components mandated by OCABR. Including a senior IS employee or consultant will be essential for any business keeping personal information electronically. Furthermore, each business should update contracts with third-party vendors who handle personal information to ensure that those vendors (payroll companies, copying facilities, document storage facilities, etc.) are also compliant. Beginning in 2010, they will need to provide a certification of compliance.
While OCABR is not unsympathetic to this new financial burden for businesses in a difficult economic time, to date it has shown no inclination to modify the foregoing requirements other than to extend the deadline for compliance. Businesses are therefore well advised to begin the process of bringing systems into compliance as soon as possible.
