On February 12, 2009, Massachusetts amended new regulations, initially issued last Fall, requiring each entity that owns, licenses, stores, or maintains personal information about a Massachusetts resident in either electronic or paper form to have a comprehensive written information security program. These regulations were first issued in September 2008 by the Massachusetts Office for Consumer Affairs and Business Regulation ("OCABR") pursuant to the Commonwealth's data breach notification statute enacted in late 2007, M.G.L. c. 93H. On November 14, 2008, the original January 1, 2009 effective date of these regulations was delayed until May 1, 2009 and beyond. Pursuant to the February 12, 2009 amendments, the effective date of all aspects of the regulations has been delayed until January 1, 2010.
Scope of MA Regulations
The Massachusetts regulations establish minimum standards for safeguarding personal information about a Massachusetts resident contained in either paper or electronic records.
"Personal information" is defined as a Massachusetts resident's first and last name or first initial and last name together with either a Social Security number, the number of a driver's license or other state-issued identification card number, or a financial account, credit or debit card number.
These regulations, like the underlying data breach notification statute, apply not only to institutions with vast databases, but also to every person, business, or organization of any size that collects social security numbers, financial account, credit or debit card numbers or other personal information. Even the smallest business typically collects and maintains names of employees together with their Social Security numbers, not to mention sensitive financial account information for automatic deposits, which means that small and large businesses, alike, will be subject to the new Massachusetts regulations. Further, these regulations apply to any entity (such as a law firm or professional association) that routinely handles personal information (concerning, for instance, its clients or members).
Sliding Scale Compliance Assessment
However, the Massachusetts regulations specifically provide that an entity's efforts to comply with the regulations will be assessed on a sliding scale based upon the size, scope and nature of the entity's activity; the resources available to the entity; the amount of data stored; and the need to ensure the security and confidentiality of the data.
Duty to Protect Personal Information
Every entity covered by the Massachusetts regulations must develop, implement, maintain and monitor a comprehensive written information security program ("WISP") applicable to all records containing personal information. A WISP should be reasonably consistent with applicable industry standards and must be consistent with safeguards required by any state or federal regulations governing the entity. Highlights of WISP requirements include:
- Designating one or more employees to oversee information security.
- Assessing reasonably foreseeable internal and external security risks and, if necessary, improving employee training, employee compliance with policies and procedures and measures for the detection and prevention of data breaches.
- Developing policies for restricting access to personal information by current employees; preventing access by terminated employees; and imposing disciplinary measures for WISP violations.
- As originally promulgated, the MA regulations also required every covered entity to verify that third-party service providers with access to the entity's personal information were capable of protecting it; to insist, via contract provisions, that third-party service providers maintain appropriate safeguards; and to obtain from such a third party written certification that the third party has its own WISP that complies with the MA regulations. The February 12, 2009 amendments have replaced the foregoing requirements with a provision that an effective WISP include "[t]aking all reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.00; and taking all reasonable steps to ensure that such third party service provider is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17.00."
- Limiting the amount of personal information collected, the duration for which it is maintained and access to it based on what is reasonably necessary for the entity to accomplish its legitimate objectives.
- Identifying all paper records and electronic storage media where personal information may be located and accessed, unless the WISP treats all records as if they contain personal information, and restricting physical access thereto.
- Regular monitoring and upgrading of the WISP, including reviewing the scope of security measures at least annually or whenever there is a material change in business practices that may affect same.
- Documenting how the entity responds to any data breach, including mandatory post-incident reviews and resulting changes in its business practices or WISP.
A comprehensive information security program should incorporate appropriately tailored business processes, technology, training, monitoring and review provisions that are coordinated with the implementing organization's business processes. Effective development, implementation and monitoring of a comprehensive information security program requires a joint effort of (i) information technology personnel, (ii) human resources personnel, (iii) business leaders and (iv) legal personnel with experience handling IT and privacy-related matters.
Duty to Protect Computer Systems
Where personal information is included in electronic records, a WISP also must provide for the establishment and maintenance of a security system covering the entity's computers, including any wireless system. Key requirements for authentication protocols and access control measures include:
- Methods for assigning, controlling and securing user IDs, passwords, or other unique identifier technologies, such as biometrics or token devices.
- Restricting access to active users and active user accounts only.
- Blocking access after multiple unsuccessful attempts to gain access.
- Restricting access on a need-to-know basis.
The regulations also call for:
- The encryption of all personal information to be transmitted wirelessly and, to the extent technically feasible, the encryption of all such information that will travel across public networks. While the original regulations called for the encryption of all "data" transmitted wirelessly, the February 12, 2009 amendments make it clear this requirement applies only to personal information.
- Reasonable system monitoring to detect unauthorized use of or access to personal information.
- Encryption of all personal information stored on laptops (by May 1, 2009) or other portable devices such as BlackberriesTM or TreosTM (by January 1, 2010).
- Up-to-date firewall protection and security patches for systems containing personal information that are connected to the Internet.
- Use of malware protection and virus-scanning software that periodically define new viruses and update security patches accordingly.
- Employee training on the computer security system and the importance of protecting personal information.
Although the regulations discussed in this Alert affect only personal information collected from Massachusetts residents, similar requirements have been enacted or are being considered in forty-five other jurisdictions. To learn more about the new Massachusetts regulations or about data breach notification statutes in other jurisdictions, or for assistance in developing a comprehensive written information security plan that complies with current statutes and regulations, please contact any of the Day Pitney attorneys listed herein as contacts. Read OCABR's press release accompanying the February 12, 2009 amendments by clicking here and read the full text of the recently amended Massachusetts regulationsby clicking here.