Massachusetts’s new data security regulations, effective as of March 1, 2010, currently set forth the country’s most stringent requirements for protecting data. Extending beyond what is required by other states, Massachusetts specifies that, for example, covered entities must implement a written information security program and must encrypt personal information that will be transmitted over the Internet, or that is kept on laptops and other portable devices. Massachusetts regulators and enforcement agencies would likely make the following three arguments that out of state entities must also comply with the new regulations.
First, Massachusetts would likely argue that, in order to determine whether an entity is subject to the regulations, the threshold inquiry involves an assessment of information owned or licensed by the entity – not an assessment of where that entity is located. The regulations pertain to legal entities that own or license personal information of Massachusetts residents, which is defined as a Massachusetts resident’s first and last name, or first initial and last name in combination with any one or more of the following data elements related to the resident: (1) social security number; (2) driver’s license number or state-issued identification card number; or (3) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. Thus, Massachusetts would likely contend that any company that owns or licenses personal information of Massachusetts residents – regardless of where that company is located – is a covered entity under the regulations.
Second, based on discussions that occurred before the regulations went into effect, it is safe to expect that Massachusetts regulators will assert the right to enforce the regulations against out-of-state entities. While no litigation has been filed as of yet – the regulations have been in effect for just over two months – Massachusetts regulators have made clear that they intend to vigorously enforce the regulations to the extent required to protect Massachusetts residents from identity theft, the very purpose for which these regulations were promulgated.
Third, Massachusetts would likely argue that owning or licensing personal information is sufficient for jurisdictional purposes. Specifically, Massachusetts would contend that, by owning or licensing personal information of Massachusetts residents, the out-of-state entity purposefully availed itself of the privilege of conducting business in Massachusetts. Alternatively, Massachusetts would contend that owning or licensing personal information of Massachusetts residents constitutes sufficient contacts with Massachusetts. While no precedent currently exists on this issue, Massachusetts would attempt to convince the courts that owning or licensing a Massachusetts resident’s personal information satisfies one or both of these jurisdictional tests.
Because we expect that Massachusetts will aggressively enforce these new regulations, we encourage out-of-state entities that own or license personal information of Massachusetts residents to work towards compliance with the new regulations by implementing administrative, technical and physical safeguards to protect the personal information they own or license.