Effective March 1, 2010, the controversial data security regulations issued by the Massachusetts Office of Consumer Affairs and Business Regulation ("OCABR") take effect, and apply to all businesses that maintain personal information about Massachusetts residents. The Regulations (201 CMR 17.00) are available at http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
The Massachusetts Regulations create the most comprehensive set of general data security obligations yet to be imposed on businesses by a state. Moreover, the Regulations will likely have a nationwide impact. They apply to all businesses "that own, license, store or maintain personal information about a resident” regardless of where the business is located, its size, or its industry sector. Thus, companies not located in Massachusetts may nonetheless come under the requirements. Examples include companies with employees and contractors that are residents of the state, companies that run sweepstakes and contests that are open to residents of the state, television, motion picture and print productions use talent that are residents of the state; and businesses with customers who are residents of the state.
The Regulations cover personal information that includes first name (or initial) and last name of a Massachusetts resident, in combination with at least one of the following data elements: (a) Social Security number; (b) driver's license number or state-ID number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, PIN or password.
The Massachusetts Regulations are intended to protect the “security and confidentiality” of this personal information. To do that, they require companies to:
- Implement a risk-based, process-oriented, “comprehensive, written information security program” in accordance with a detailed list of requirements; and
- Encrypt all personal information that is: (1) stored on laptops or other portable devices, (2) contained in records and files transmitted over public networks, and (3) transmitted wirelessly.
Attorneys in Wildman Harold's Privacy and Data Security group can help you determine if the requirements apply to you and how to develop a compliance program. A brief summary of the requirements and the penalties for non-compliance is set forth below.
A. Requirement to Implement Comprehensive Security Program
At the heart of the Massachusetts Regulations is its requirement to “develop, implement, maintain and monitor a comprehensive, written information security program" designed to ensure the security and confidentiality of any records containing personal information. The Regulations specify that an entity's security program must be reasonably consistent with industry standards, and must include appropriate administrative, technical, and physical safeguards for such records.
Developing a comprehensive written information security program requires implementing a fact-specific, risk-based process that addresses the company’s current business realities and adapts to future changes. With some notable exceptions (discussed below), this requirement rejects a one-size-fits-all approach to the specifics of a security program, making it impossible to comply with these laws merely by implementing technologically sophisticated security “solutions.”
Instead, the legal requirement can be summarized by the phrase “process plus categories.” That is, to satisfy its legal obligations to implement “reasonable security” a company must: (i) engage in a defined and repetitive risk-based “process,” and (ii) apply that process to all areas of its risk, including to selected “categories” of security controls specified in the applicable regulations.
1. The Process
Like existing federal regulations and FTC policy, the Massachusetts Regulations require each covered company to implement the following processes as part of its comprehensive security program:
- Assign Responsibility: Designate one or more employees to maintain the security program;
- Identify Information Assets: Identify the corporate information assets that need to be protected, including records containing personal information and computing systems and storage media (such as laptops and portable devices) used to store such personal information;
- Conduct Risk Assessment: Conduct a risk assessment to identify and assess the risks to the security, confidentiality, and/or integrity of the company’s information assets;
- Select and Implement Security Controls: Select and implement appropriate physical, administrative, and technical security controls to minimize the risks identified in its risk assessment, including security controls within certain identified “categories” (discussed below);
- Monitor Effectiveness: Regularly monitor and test the security controls it has implemented to ensure that the security program is operating in a manner reasonably calculated to protect the personal information; and upgrade the security controls as necessary to limit risks;
- Regularly Review Program: Review and adjust the information security program at least annually, including: (i) whenever there is a material change in business practices that could affect personal information, and (ii) following any incident involving a breach of security; and
- Address Third Party Issues: If a business uses third party service providers, it must:
- Take reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect the personal information; and
- Require such third-party service providers by contract to implement and maintain such appropriate security measures for personal information.1
2. The Categories
The Massachusetts Regulations, like other laws requiring a comprehensive security program, specify certain categories of physical, administrative, and technical security controls that a covered company must address in assessing its particular risks and business model as part of the process of implementing a compliant its security program. Without specifying which specific security controls must be put in place, the Massachusetts Regulations require that:
- The Physical Security Controls must include:
- Reasonable restrictions on physical access to records; and
- Storage of such records and data in locked facilities, storage areas or containers.
- The Administrative Security Controls must include:
- Policies regarding employee access and transport of records outside of business premises;
- Disciplinary measures for violations of the security program;
- Procedures to prevent terminated employees from accessing records; and
- Security education and training for employees.
- The Technical Security Controls must include:
- Secure identity management and user authentication protocols;
- Secure access control measures that restrict access to those who need the information, and assign unique identifications plus passwords to each person with authorized computer access;
- Encryption of all records containing personal information that travel across public networks, are transmitted wirelessly, or are stored on laptops or other portable devices;
- Monitoring of systems for unauthorized use of or access to personal information; and
- Up-to-date firewall protection, operating system security patches for systems connected to the Internet, and up-to-date software providing malware and virus protection.
Compliance (and, conversely enforcement) will likely be based on how rigorously and appropriately a business has analyzed and documented its risk, and whether it has implemented security controls in each such category consistent with its risk assessment.
B. Requirement to Encrypt Data
The Massachusetts Regulations also require any entity that stores or transmits electronic records containing personal information to encrypt that information in specific situations. Specifically:
- Stored personal information must be encrypted if it is stored on “laptops or other portable devices.” While “portable device” is not defined, it is presumably includes portable communication devices such as Blackberries and cell phones, as well as portable storage devices such as iPods and USB flash drives, and may even include portable media such as DVDs.
- Personal information being transmitted must also be encrypted, “to the extent technically feasible” if it “will travel across public networks,” or if it will “be transmitted wirelessly.” Public networks clearly include the Internet and wireless transmission presumably includes communication even within a corporate network.
The potential costs of not complying with the Massachusetts Regulations could be significant. The Massachusetts attorney general may seek a temporary restraining order or a preliminary or permanent injunction under the Massachusetts Unfair Competition Statute (“Chapter 93A”) against any entity suspected of being in violation of the Regulations. If a court finds that the Regulations were violated, it may impose civil penalties of up to $5,000 per violation, as well as court costs and attorneys’ fees. The damage to a company's goodwill and reputation that may likely accompany an enforcement action could also impose significant cost on a business.
The risk of class action litigation may also be a major concern for companies that fail to comply with the Regulations. Massachusetts residents may bring a claim for unfair or deceptive practices under Chapter 93A, or a negligence claim by using the Regulations and Chapter 93A to establish the company breached a specific duty to safeguard his or her personal information. Under Massachusetts law, a violation of the statute could constitute per se negligence and potentially expose defendant companies to claims in the amount of a plaintiff's actual damages, or $25.00, whichever is greater. If damages are calculated on a per-individual record basis, as is the case in CAN SPAM litigation, they could be significant. Treble damages are available for willful or knowing violations.