Once again the Massachusetts Office of Consumer Affairs and Business Regulations has delayed the implementation of its Standards for The Protection of Personal Information of Residents of the Commonwealth (“the Standards”). The new effective date for the Standards is March 1, 2010.  

The Standards still require businesses that collect personal information from Massachusetts residents to create a comprehensive written information security program. However, the Standards have been softened somewhat to take into consideration a “risk-based approach.” This means that the program can be tailored to provide administrative, technical, and physical safeguards appropriate to: a) the size, scope, and type of business; b) the amount of resources available to the business; c) the amount of data stored by the business; and d) the need for security and confidentiality of consumer and employee information. In addition, specific auditing requirements and the imposition of a “minimum necessary” standard for the collection and use of information have been eliminated.  

Security Program Requirements  

Even with these modified requirements, the Standards still legally require a business to implement a wide variety of data security “best practices.” A business’s security program, at a minimum, must:  

  1. Designate one or more employees to maintain the security program
  2. Identify and assess the internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing personal information  
  3. Evaluate current safeguards and means for detecting and preventing security system failures  
  4. Implement and evaluate ongoing employee training (which must include temporary and contract employees)  
  5. Implement and evaluate employee compliance with policies and procedures  
  6. Develop security policies that set forth whether and how employees should be allowed to keep, access, and transport records containing personal information outside of business premises  
  7.  Impose disciplinary measures for violations of the program rules
  8. Prevent terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names  
  9. Take reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information  
  10. Contractually require service providers to maintain such safeguards, and take all reasonable steps to ensure that the service provider has a security program that complies with the Standards before providing personal information to that service provider (with existing contracts being “grandfathered” in until March 1, 2012)  
  11. Implement reasonable restrictions upon physical access to records containing personal information, including a written procedure that sets forth the manner in which physical access to such records is restricted; and storage of such records and data in locked facilities, storage areas, or containers  
  12. Regularly monitor to ensure that the security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrade information safeguards as necessary to limit risks  
  13. Review the scope of the security measures on at least an annual basis, or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information  
  14. Document responsive actions taken in connection with any incident involving a breach of security; as well as mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information  

Computer System Requirements The Standards still provide minimum technical requirements for computer systems that electronically store or transmit personal information regarding Massachusetts residents. Businesses with such computer systems must undertake the following:  

  1. Secure user authentication protocols including:
  • Control user IDs and other identifiers
  • Reasonably secure method of assigning and selecting passwords (or use of an alternative authentication technology such as biometrics or token devices)
  • Control data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect
  • Restriction of access to active users and active user accounts only
  • Blocked access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system
  1. Secure access control measures that:
  • Restrict access to records and files containing personal information to those who need such information to
  • perform their job duties Assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls  
  1. Encrypt all transmitted records and files containing personal information that will travel across public networks, and encrypt all personal data to be transmitted wirelessly  
  2. Implement reasonable monitoring of systems for unauthorized use of or access to personal information  
  3. Encrypt all personal information stored on laptops or other portable devices  
  4. Provide reasonably up-to-date firewall protection and operating system security patches for files containing personal information on a system that is connected to the Internet, designed to maintain the integrity of the personal information  
  5. Provide reasonably up-to-date versions of system security agent software, which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis  
  6. Educate and train employees on the proper use of the computer security system and the importance of personal information security.