In August of 2009, the Massachusetts Office of Consumer Affairs and Business Regulation issued regulations (the “Regulations”) that set forth data privacy standards governing the treatment of personal information of Massachusetts residents.1 These data privacy standards must be met by any person or non-governmental legal entity that receives, maintains, processes, or otherwise has access to the “personal information” of Massachusetts residents in connection with providing goods or services, or in connection with employment. “Personal information” is defined under the Regulations as a Massachusetts resident’s first and last name or first initial and last name, coupled with any one of the following: (a) Social Security number; (b) driver’s license or state-issued ID card number; or (c) financial account number or credit or debit card number that would permit access to a financial account. The Regulations specify March 1, 2010 as the compliance deadline.
If the Regulations apply to your organization—i.e., if your organization, in the course of its business, receives, maintains, processes, or otherwise has access to the “personal information” of Massachusetts residents, you must develop, implement, and maintain a comprehensive information security program that meets certain criteria, as further described below. As part of the information security program, your organization must also meet certain computer system security requirements, which are also described below.
Comprehensive Information Security Program
The comprehensive information security program required by the Regulations must be written, and, generally speaking, must contain administrative, technical, and physical safeguards that are appropriate to: (a) the size, scope and type of business of the organization; (b) the amount of resources available to such organization; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. Thus, given that the Regulations account for an organization’s size, scope of business, and resources, not all organizations will be held to the same standard with respect to their information security program.2
Nevertheless, the Regulations do list specific requirements that must be met by every information security program. For brevity, we do not list all of them here, but examples of such requirements include:
- Designating an employee to maintain the information security program, regularly monitoring the program to ensure it is operating in a manner reasonably calculated to prevent unauthorized access to personal information;
- Identifying foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks;
- Developing security policies for employees relating to the storage, access and transmission of personal information, training employees with respect to such policies, and imposing disciplinary measures for violations of the information security program;
- Preventing terminated employees from accessing personal information;
- Documenting any actions taken in response to a breach of security affecting personal information; and
- Contractually requiring third-party service providers that handle personal information to implement and maintain security measures that meet the Regulations and any applicable federal regulations (though contracts entered into before March 1, 2010 are exempt from this requirement).3
Computer System Security
In addition to implementing a comprehensive information security program, if organizations electronically store or transmit personal information, the Regulations require that they implement, to the extent technically feasible, certain types of computer security. These requirements include, among other things: (a) implementing secure user authentication and access measures, including measures that limit access to personal information to only those who need such access to perform their jobs; (b) encrypting personal information transmitted on public networks or wirelessly; (c) encrypting personal information stored on a laptop or mobile device; (d) implementing and maintaining firewalls, system monitoring measures, and anti-virus/antimalware software; and (e) training employees on the proper use of the computer security system and the importance of personal information security.4
Next Steps for Your Organization
The first step is to determine if the Regulations apply to your organization: do you have Massachusetts-based customers or employees whose personal information you handle in the course of running your business? If so, it is critical that you develop an information security program that is reasonable in light of your organization’s size, scope of business, and available resources, but that nevertheless meets the requirements set forth in the Regulations.
In addition, beginning March 1, 2010, if your organization procures services from any third-party service provider that will handle the personal information of your Massachusetts-based customers or employees, you should ensure that your contract with such provider requires their compliance with the Regulations and any applicable federal regulations regarding the protection of personal information. On the other hand, if your organization is a service provider that handles the personal information of Massachusetts residents, it may be prudent to update your form agreements to address compliance with the Regulations.
Finally, experience with data protection legislation suggests that other states are likely to follow Massachusetts’ lead. It would thus be prudent for your organization proactively to establish a comprehensive information security program to protect the personal information of your customers and employees in anticipation of that eventuality, even if your organization does not currently have any Massachusetts-based customers or employees.