All U.S. Businesses with Data on Massachusetts Residents Will Need Written Information Security Programs, Including Policies, Contracts and Training, and Will Need to Meet Computer System Requirements

As forecasted in our One Minute Memo® from January 2008, Proposed Regulations Would Impact All Businesses With Personal Data On Massachusetts Residents, the Massachusetts Office of Consumer Affairs and Business Regulations recently adopted Standards for The Protection of Personal Information of Residents of the Commonwealth (“Standards”). The statute applies to any business that collects information regarding a Massachusetts consumer or employee, and establishes certain minimum privacy and security standards. Unlike other state and some federal data security laws, these Standards apply to paper as well as electronic records.

The Standards go into effect on January 1, 2009, and require businesses to create a comprehensive written information security program. While the efficacy of a security program will be determined based on the relative size of a company and the type and amount of data a company maintains, the Standards clearly state that a security program needs to contain, at a minimum, the following:

  1. Designate one or more employees to maintain the security program
  2. Identify and assess the internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information 
  3. Evaluate current safeguards and means for detecting and preventing security system failures 
  4. Implement and evaluate ongoing employee training (which must include temporary and contract employees) 
  5. Implement and evaluate employee compliance with policies and procedures 
  6. Develop security policies that set forth whether and how employees should be allowed to keep, access, and transport records containing personal information outside of business premises 
  7. Impose disciplinary measures for violations of the comprehensive information security program rules 
  8. Prevent terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names
  9. Take reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information, including:
    • Selecting and retaining service providers that are capable of maintaining safeguards for personal information (i.e., conducting due diligence) 
    • Contractually requiring service providers to maintain such safeguards, and requiring a certification that the service provider has a security program that complies with the Standards before providing personal information to that service provider
  10.  Limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected; limiting the time such information is retained to that reasonably necessary to accomplish such purpose; and limiting access to those persons who are reasonably required to know such information in order to accomplish such purpose or to comply with legal requirements 
  11. Require an audit/inventory to identify paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to determine which records contain personal information, unless the security program provides for the handling of all records as if they all contained personal information 
  12. Implement reasonable restrictions upon physical access to records containing personal information, including a written procedure that sets forth the manner in which physical access to such records is restricted; and storage of such records and data in locked facilities, storage areas, or containers 
  13. Regularly monitor to ensure that the security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrade information safeguards as necessary to limit risks 
  14. Review the scope of the security measures on at least an annual basis or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information 
  15. Document responsive actions taken in connection with any incident involving a breach of security, as well as mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information

The Standards also provide the following minimum technical requirements for computer systems that electronically store or transmit personal information regarding Massachusetts residents:

  1. Secure user authentication protocols including:
    • Control user IDs and other identifiers 
    • Provide a reasonably secure method of assigning and selecting passwords (or use an alternative authentication technology such as biometrics or token devices) 
    • Control data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect 
    • Restrict access to active users and active user accounts only 
    • Block access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system
  2. Secure access control measures that: 
    • Restrict access to records and files containing personal information to those who need such information to perform their job duties 
    • Assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls 
  3. Encrypt (to the extent technically feasible) all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly 
  4. Implement reasonable monitoring of systems, for unauthorized use of or access to personal information 
  5. Encrypt all personal information stored on laptops or other portable devices 
  6. Provide reasonably up-to-date firewall protection and operating system security patches for files containing personal information on a system that is connected to the Internet, designed to maintain the integrity of the personal information 
  7. Provide reasonably up-to-date versions of system security agent software, which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis 
  8. Educate and train employees on the proper use of the computer security system and the importance of personal information security

Nevada has also recently enacted a security law that requires the encryption of information obtained from consumers who reside in Nevada. Please click here for more information about this law.