As a follow-up to our Client Alert of May 2009 ("Massachusetts to Implement Far-Reaching Law to Protect Personal Data"), this Alert outlines recent amendments to regulations regarding the Massachusetts "Data Protection" law (Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 CMR 17:00) and sets forth practical steps for companies to take in order to ensure that they are in compliance.
The regulations were issued by the Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) and apply to all persons that own or license personal information about a resident of Massachusetts. They also require all companies--even those outside of Massachusetts--to take certain preventative measures to protect the personal data of employees and customers. The regulations go into effect on March 1, 2010.
The three objectives of the regulations are to: (1) ensure the security and confidentiality of Massachusetts citizens' personal information; (2) protect against anticipated threats or hazards to the integrity of that information; and (3) protect against unauthorized access to or use of such information.
To accomplish these objectives, the regulations require all companies to take certain preventative measures to protect the personal data of employees and customers.
Effect On Regulations
Amendments to the regulations were finalized by OCABR in November, 2009. Two aspects of the amendments are of particular relevance to companies. First, the final regulations make clear that OCABR has adopted a risk-based approach to information security which takes into account a company's size, resources and the nature and quantity of data being collected. Thus, the regulations no longer mandate every component of an information security program and instead provide flexibility for small businesses in achieving compliance. This is intended to help alleviate the burden that the regulations may place on small companies that do not handle a large amount of personal information.
Second, instead of an effective date of January 1, 2010, businesses are now required to be in compliance by March 1, 2010. Still, as compliance will take a considerable amount of time and effort, it is important for companies to begin to evaluate their policies immediately, in order to ensure compliance by March 1.
Actions to Ensure Compliance
Before establishing a comprehensive information security program, companies should conduct an organization-wide assessment of their current information security policies and procedures. They should identify which retained records and documents contain "personal information" as defined by the regulations. Once these documents have been identified, companies should evaluate why this information is being retained, who has access to this information and what security is in place to protect this information. To the extent possible, companies should minimize their collection of this type of data.
After conducting this review, businesses should develop a Written Information Security Program (WISP). As set forth in the amendments to the regulations, the WISP should be tailored appropriately to the size and scope of the business, the amount of resources available to the business, and the amount of data being stored. The WISP must address the steps being taken to ensure compliance with the regulations and should include documentation of the following action steps:
1. Requirements Relating to Employees
a. Put in place reasonable restrictions on physical access to records containing personal information. It is recommended that such records are kept in locked areas and/or containers.
b. Provide on-going training of employees regarding compliance with security policies and procedures, including measures relating to computer security. Temporary and contract employees must receive this training, as well.
c. Establish and enforce disciplinary measures against employees who violate the WISP's protocols.
d. Maintain a policy which ensures the security of personal information for situations in which employees are storing, accessing or transporting records away from the business premises.
e. Take appropriate steps to ensure that terminated employees cannot access records containing personal information. It is recommended that all keys and electronic key-cards are collected from terminated employees. Similarly, all email addresses, usernames and passwords of terminated employees should be deactivated.
2. Address Computer Security Requirements if Technically Feasible
a. Develop a system to secure control of user IDs and other identifiers; establish a secure method of assigning and protecting passwords. Set parameters to restrict access to files containing personal information to those who need such information to perform their job.
b. Ensure proper encryption of all records containing personal data that travel across public networks. Likewise, all personal information stored on laptops and other devices must be properly encrypted.
c. Review security software in order to ensure the use of reasonably up-to-date firewall and anti-virus software, as well as operating system security patches.
3. Oversee Service Providers
a. Any third-party service providers with whom the companies contract (such as health insurance companies and payroll and human resources services) must be capable of maintaining security measures to protect personal information.
b. Any contract entered into with a third-party vendor after March 1, 2010, must require the vendor to maintain such security measures. Any such contract entered into prior to March 1, 2010, need not be revised or updated to include these requirements until March 1, 2012.
4. Continual Monitoring
a. Monitor the WISP regularly and make any necessary updates to ensure security.
b. Review the scope of the WISP annually or if there is a material change in business practices.
c. Document any incident regarding a breach of security.
Complying with the regulations may appear daunting for companies; however, careful planning and implementation of comprehensive procedures will help ensure compliance by March 1.