Massachusetts General Laws, Chapter 93H, enacted in November 2007, requires (1) notification of data security breaches and (2) requirements to ensure the protection of personal information. Although the notification requirements became effective almost immediately, the final regulations issued to implement this law only recently clarified the prevention requirements. The final regulations (201 CMR 17.00) implementing Chapter 93H’s requirements were issued in February and compliance is mandatory by January 1, 2010. These regulations also incorporate Chapter 93H’s sister statute, Massachusetts General Laws, Chapter 93I, which addresses destruction of documents and media containing personal information.
What Is Required
The pertinent section of 93H provides in part that any individual or entity who stores, licenses, maintains, or transmits personal information is required to (1) prepare a Written Information Security Plan (WISP); (2) implement the WISP; (3) train employees about the WISP; and (4) monitor compliance and effectiveness of the WISP – all by January 1, 2010.
These requirements apply to all businesses, regardless of size, and also to Personal Information, defined as the combination of the first and last name, or first initial and last name, of a Massachusetts resident together with any of the following:
(a) social security number; or
(b) driver’s license or state identification card number; or
(c) credit card or financial account number, such as a bank or retirement account number.
The regulations call for:
- Secure user access protocols
- Secure electronic transmission of Personal Information
- Encryption of portable devices, including back-up tapes, laptops, flash drives, PDAs, and, in some cases, cell phones.
- Methods of updating technology security measures, such as antivirus software and
- A WISP containing a comprehensive plan for maintaining security of Personal Information, including, among other things, identifying individuals who are responsible for preparing and monitoring the WISP; identifying systems where Personal Information is located; identifying risks and evaluating safeguards; ensuring that all third party service providers (such as payroll processing companies) are compliant with 93H; distribution of the WISP to and training of all employees; substantive disciplinary measures for violations of the WISP; preparing record retention and destruction policies (consistent with Chapter 93I); and restricting physical access to Personal Information.
Many of the 93H requirements, including ensuring that all third-party service providers are compliant with 93H, are based on taking “reasonable” steps. There is, however, little information available as to what is considered “reasonable.” Additionally, what is or is not reasonable may differ based on the size of the business, the number of employees of the business, or the amount of Personal Information the business may store or maintain.
What To Do Now:
Although January seems an eternity away, the program requirements are somewhat onerous and require technological security elements, administrative maintenance and monitoring elements, and physical handling and disposition of personal information, all compiled into a WISP and implemented with training of employees. It is best to prepare a compliance calendar so that everything need not be done on December 31. Some starting points:
- Identify an appropriate team drawn from human resources, accounting, document management, information technology, and senior management to help prepare and implement the plan.
- Identify technology consultants who truly understand the requirements of this law and regulations - not just someone trying to sell their services and products regardless of the actual need.
- Clarify what Personal Information you have, who needs access, when it is transmitted electronically and how long you need to keep it. Personnel records, payroll records, direct deposit information, 401K information, healthcare and beneficiary information, accounting databases, checks from individual customers, client databases, PayPal, and other online payment accounts are just some examples where Personal Information is located.
- Identify third-party service providers and consultants who have access to Personal Information.
- Identify and consult with information destruction experts to ensure proper destruction of Personal Information.
- Collect Personal Information from individuals that will no longer have access to such information.
- Write the WISP.
- Distribute the WISP to all employees and train them on what the WISP requires and any changes in company protocols and business that are the result of compliance.
- Ensure limited access to Personal Information.
- Obtain assurances that third-party service providers and consultants who have access to Personal Information are complying with this law and these regulations.
- Periodically follow-up on the WISP to make sure that all of its elements are being implemented properly and, if something is not working, it is corrected.
Unlike some legal compliance requirements, an IT consultant will likely need to assist in meeting the technological requirements under this law and its regulations. As with all legal compliance requirements, legal counsel should be consulted in preparing a WISP and making appropriate plans for implementing it, including training employees.