In the wake of the highly publicized theft of massive amounts of confidential customer information, Massachusetts enacted comprehensive data security legislation intended to prevent unauthorized access to such information. The Office of Consumer Affairs and Business Regulation (OCABR) has since issued detailed regulations implementing the legislation. Compliance with these regulations is now required by March 1, 2010.
What Businesses Are Covered?
At first blush, one might assume that these regulations deal with confidential customer information (such as credit card information). The obligations imposed by this new regulatory scheme, however, are much broader. They effectively apply to all businesses that employ Massachusetts residents, at least to the extent the business maintains any employee records that contain “personal information.” “Personal information” as defined by the regulations includes a resident’s last name, first name or first initial and either (a) social security number; (b) driver’s license number or state issued identification card number; or (c) financial account number, or debit or credit card number. In light of this expansive definition, nearly all employers that maintain personnel or payroll information will be covered by the new law.
What Is Required?
The regulations impose a duty to protect the security and integrity of such information, which includes a written comprehensive information security program that contains administrative, technical and physical safeguards to protect against both internal and external risks to the integrity of personal information. In response to pressure from business groups, OCABR issued the most recent revisions to the regulations on August 17, 2009, which explicitly acknowledge that these administrative, technical and physical safeguards will depend on the size, scope and type of business, the amount of resources available to the business, and the need for the security and confidentiality of the information at hand. Moreover, the revised regulations significantly amend the prior regulatory requirements.
The regulations contain a detailed list of requirements for an appropriate comprehensive information security program, which includes, among many other things, designation of an employee to maintain the plan, assessment of “reasonably foreseeable” risks to the security of personal information maintained by the business, policies regarding the use of records containing personal information outside of the business, steps to ensure compliance by vendors, and certain documentation requirements.
In addition, the new regulations require technical safeguards relative to information systems (computers and wireless systems) used by businesses, to the extent safeguards are “technically feasible.” These safeguards include:
- Secure user authentification protocols
- Secure access control measures
- Encryption requirements
- Firewall, virus and malware protection
- Training and education of employees
The determination of whether a business’ electronic information systems comply with these new regulations is highly technical, and will likely require the assistance of information technology professionals.
Employee Training Required
The implementing regulations require that employers provide employees with training on the plan. In particular, the regulations require education and training of appropriate employees on the proper use of computer security systems and the importance of personal information security.
Third Party Vendors
The regulations provide that businesses must require third party vendors to agree by contract to implement appropriate security measures to protect personal information. However, in another easing of initial regulatory requirements, the recently revised regulations provide a window of time for businesses to amend third party service provider agreements that are not compliant with the regulations. Unfortunately, the current language of the revised regulation is not clear. However, the regulations seem to allow for the use of non-compliant contracts until February 28, 2012, provided that such contracts were entered into prior to March 1, 2010 and are appropriately amended by March 1, 2012.
Further Amendments Possible
OCABR will hold a public hearing on these changes on September 22, 2009. As such, it is possible that additional comments to the revised regulations could yield yet further changes.
Notification of Security Breaches
Employers should also be mindful of the requirement to provide notice of a known or suspected breach of the security of personal information. Massachusetts General Laws Chapter 93H requires businesses that maintain or store personal information to provide notice immediately of such breach to the attorney general, the Director of OCABR and to the affected resident. The statute requires specific information be provided in such notices. The Attorney General’s Office may seek civil penalties for violations of the statute, which may include penalties of up to $5,000 per violation, as well as costs of investigation and enforcement (including reasonable attorneys’ fees).
What Should Employers Do?
According to Mark Burak, a shareholder in Ogletree Deakins’ newly opened Boston office: “Although there are specific requirements involved in compliance, much of what is required by the new regulations involves the application of common sense measures to protect personal information. Many employers, concerned about protection of confidential information, already take many of the steps required by the new law.” He adds that “employers should take advantage of the extension of time to develop a strong information security plan, and implement additional computer security measures. They should also make sure they keep abreast of any additional changes in the law.”