The clock is ticking for companies to comply with the Massachusetts Data Security Regulations. Massachusetts enacted one of the country's strictest data security laws that will have a nationwide impact on all companies that do business with residents of Massachusetts or have Massachusetts employees. At the heart of the new regulations are the requirements to (i) develop, implement and maintain a comprehensive, written information security program; (ii) implement physical, administrative and extensive technical security controls, including the use of encryption; and (iii) verify that any third-party service providers that have access to personal information can protect such information. The regulations require full compliance by January 1st, 2010.
The new regulations apply to all persons that own, license, store or maintain personal information about a Massachusetts resident, so even organizations that do not have a physical presence in Massachusetts should anticipate that they will need to comply with the regulations if they maintain personal information about any Massachusetts resident.
These regulations come at a time when data breaches are still in the headlines and the costs for coping with such breaches have never been higher. The Poneman Institute's recent privacy survey found that the average cost to a company for each record compromised was $202 and resulting customer churn due to loss of confidence was 3.6%. While the security safeguards required by the regulations are certainly extensive and somewhat onerous, they are aimed at minimizing the most common causes of security breaches such as an employee's loss of a company laptop or flash drive containing unencrypted customer or employee personal data, or where personal data is lost during shipment to a storage facility, or where personal data is obtained without authorization by former employees, independent contractors, affiliates, consultants or outsourcing companies. The far-reaching implications of the regulations together with the absence of a federal data breach law suggest that they may become a model for other state laws and could become a benchmark for all information security programs.
Required Elements of the Information Security Program
The cornerstone of the regulations is the requirement for businesses to develop, implement, maintain and monitor a "comprehensive written information security program" designed to ensure the security and confidentiality of any records containing personal information. The regulations define personal information as the first name or initial and last name in combination with (i) Social Security number; (b) driver's license number or state issued identification number; or (iii) financial account number, or credit or debit card number with or without any security code, access code or password. Information on Massachusetts employees or customers falling within the scope of this definition is likely to be held by numerous companies nationwide as part of Human Resources or customer databases or by third-party service providers storing or processing personal information on a company's behalf.
The regulations go further than any other state privacy laws by specifying the specific administrative, physical and technical measures required to be implemented under the information security policy. The extensive nature of these obligations, together with the significant undertaking required to develop such a written policy forced the Massachusetts regulators to extend the deadline for full compliance until January, 2010.
The regulations require not only the attention of IT professionals, but HR departments, in-house employment, procurement and commercial teams as well as counsel in order to effectively implement the procedures, protocols and training programs mandated.
The regulations establish minimum standards for the protection of personal information. The information security program must:
- Designate one or more employees to maintain the comprehensive information security program;
- Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluate and improve the effectiveness of the current safeguards for limiting such risks, including but not limited to: (i) ongoing employee (including temporary and contract employee) training; (ii) employee compliance with policies and procedures; and (iii) means for detecting and preventing security system failures.
- Develop security policies for employees that take into account whether and how employees should be allowed to keep, access and transport records containing personal information outside of business premises.
- Impose disciplinary measures for violations of the comprehensive information security program.
- Prevent terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names.
- Take reasonable steps to verify that third-party service providers with access to personal information have the capacity currently in place to protect such personal information.
- Limit the amount of personal information collected, the length of time such information is retained, and the access to such information to only that which is reasonably necessary.
- Identify paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to determine which records contain personal information, except where the comprehensive information security program provides for the handling of all records as if they all contained personal information.
- Establish reasonable restrictions on physical access to records containing personal information, including a written procedure that sets forth the manner in which physical access to such records is restricted and ensure that such records and data are stored only in locked facilities, storage areas or containers.
- Include regular monitoring to ensure that the program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information and upgrading information safeguards as necessary to limit such risks.
- Review the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
- Document responsive actions taken in connection with any incident involving a breach of security and conduct a mandatory post-incident review of events and actions taken, if any, to make changes to business practices relating to the protection of personal information resulting from such breach.
Computer System Security Requirements
These program requirements apply to personal information whether it exists in electronic or paper form. However, businesses that electronically store or transmit personal information must incorporate additional computer and wireless system requirements in their information security program. Such elements include:
- Secure user authentication protocols including: (i) control of user IDs and other identifiers; (ii) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; (iii) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (iv) restricting access to active users and active user accounts only; and (v) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system.
- Secure access control measures that: (i) restrict access to records and files containing personal information to those who need such information to perform their job duties; and (ii) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls.
- To the extent technically feasible, encryption of all records, files and data containing personal information that will travel across public networks and transmitted wirelessly.
- Encryption of all personal information stored on laptops or other portable devices.
- Reasonable monitoring of computer systems for unauthorized use of or access to personal information.
- For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
- Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
- Education and training of employees on the proper use of the computer security system and the importance of personal information security.
Of all the technical requirements, the extensive requirement of encryption has generated the most attention as it covers not only the transmission of personal information but also its storage on laptops, flash or USB drives, smart phones, and other devices. Employees frequently transfer information from an office terminal to one of these devices in order to work from home or remotely, and the regulations will apply if the device is subsequently lost or improperly accessed, potentially resulting in significant penalties for the employer if the data was not encrypted.
In light of such specific security protocols, policies and procedures required by the new regulations, all businesses that own, license, store or maintain Massachusetts residents' personal information should evaluate their current security policies and employee handbooks to determine whether they will be in full compliance by the deadline of January 1st, 2010, which is fast approaching.