On September 22, 2008, the Massachusetts Office of Consumer Affairs and Business Regulation issued final regulations requiring persons and businesses that “own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts” to meet specific minimum standards for safeguarding personal information contained in paper and electronic form by January 1, 2009.
The regulations appear to be based on the “Safeguards Rule” of the Gramm-Leach-Bliley (GLB) Act, which regulates the safeguarding of personal information by financial institutions and has been used as a standard by the Federal Trade Commission in its data security enforcement actions. The Massachusetts rules mark the first time that GLB Act-like requirements have been codified in state regulations for general applicability.
Notably, the Massachusetts rules require that “to the extent technically feasible,” businesses encrypt “all transmitted records and files containing personal information that will travel across public networks,” “all data to be transmitted wirelessly,” and “all personal information stored on laptops or other portable devices.” “Encrypted” is defined as “the transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key . . . .” It is unclear whether the requirement to encrypt “all data to be transmitted wirelessly” is intended to be limited to data containing personal information, but, as currently drafted, such a limitation is not expressly stated.
Many businesses may already comply with the Massachusetts regulations as a result of complying with GLB or by taking steps in response to the increased focus on data security, but a review of company security policies and practices in light of these new rules is advisable.