Many companies will see a significant expansion of their obligations to protect and secure corporate data as a result of new state regulations set to become effective on January 1, 2009. The regulations, which are likely to have a nationwide impact, will require all companies to look closely at the state of their information security compliance efforts.
On September 22, 2008, Massachusetts' Office of Consumer Affairs and Business Regulation ("OCABR"), released "Standards for Protection of Personal Information of Residents of the Commonwealth" ("Regulations"),1 as required by a 2007 Massachusetts law.2 Together with its data breach and document destruction laws, Massachusetts has created one of the most comprehensive sets of general security legislation yet seen in any state. Most notably, the Regulations require companies to:
- Implement a risk-based, process-oriented, "comprehensive written information security program" that addresses a detailed set of requirements, including a variety of employee and technical security issues.
- Encrypt all personal information that is –
- transmitted over the public networks;
- transmitted wirelessly; or
- stored on laptops, mobile and other portable devices.
A. Scope of the Regulations
The Regulations apply broadly to all businesses that own, license, store or maintain records containing personal information about a Massachusetts resident. On its face, this includes all businesses wherever located, if they have records containing personal information about Massachusetts residents.
The Regulations apply to all records that contain personal information. "Personal information" means a combination of a person's name plus one of a series of sensitive data elements related to that person (Social Security, driver's license or state-issued identification card numbers, or financial, credit or debit card account numbers).
The Regulations apply to "any records" containing personal information in all types of media; electronic, paper, visual, audio (e.g., voicemail), and any other form.
B. Comprehensive Security Program Requirement.
The heart of the Regulations is the requirement that businesses must "develop, implement, maintain and monitor a comprehensive, written information security program" designed to ensure the security and confidentiality of any records containing personal information. Such comprehensive information security program must be reasonably consistent with industry standards, and must include appropriate administrative, technical, and physical safeguards for such records.
The Regulations generally reject a one-size-fits-all approach to the specific of a security program, adopting instead, a fact-specific process-oriented approach. That is, the Regulations require each company's comprehensive information security program to consist of an ongoing and repetitive process and appraisal tailored to its unique circumstances.
That process involves assessing the specific risks a company faces, identifying and implementing appropriate security controls responsive to those risks, verifying that they are effectively implemented, and ensuring that they are continually updated in response to new developments. Specifically, the Regulations require that each covered company must:
- Designate one or more employees to maintain its security program.
- Identify and inventory its personal information assets, including records containing personal information, as well as computing systems and storage media, including laptops and portable devices, used to store personal information.
- Conduct a risk assessment to identify and assess internal and external risks to the security, confidentiality, and/or integrity of its records containing personal information, and evaluate the effectiveness of the current safeguards for minimizing such risks.
- Select and implement appropriate physical, administrative, and technical security controls to minimize the risks identified in its risk assessment. The Regulations don't specify the exact security controls, but do specify certain categories of controls that must be addressed, as follows:
- The Physical Security Controls must include reasonable restrictions on physical access to records containing personal information, and storage of such records and data in locked facilities, storage areas or containers.
- The Administrative Security Controls must include:
- Limits on the amount of personal information collected, the time such information is retained, and the persons who are allowed to access it.
- Policies regarding employee training, monitoring, discipline for violations of the security program and employee access and transport of records containing personal information.
- The Technical Security Controls must include the following elements:
- Secure user authentication protocols.
- Secure access control measures that restrict access to those who need such information to perform their job duties and assign unique identifications plus passwords to each person with computer access.
- Encryption of all records containing personal information that travel across the Internet, are transmitted wirelessly, or are stored on laptops or other portable devices.
- Monitoring of systems for unauthorized use of or access to personal information.
- Up-to-date firewall protection, operating system security patches for systems connected to the Internet, and up-to-date software providing malware and virus protection.
- Regularly monitor and test the security controls to ensure that the security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrade information safeguards as necessary to limit risks.
- Review and adjust the security program at least annually, (i) whenever there is a material change in business practices that could affect personal information, or (ii) following any incident involving a breach of security (based on lessons learned).
- Carefully select, retain and supervise contractors and third party service providers that have access to the company's personal information by taking reasonable steps to verify that they have the capacity to protect such personal information, including: (i) selecting and retaining service providers that are capable of maintaining safeguards for personal information; (ii) contractually requiring service providers to maintain such safeguards, and (iii) obtaining from the third-party service provider a written certification that such service provider has a written, comprehensive information security program that is in compliance with the Regulations.
While companies have a great deal of flexibility in satisfying the foregoing requirements, the Regulations specify that the security program meet basic standards for reasonableness, and in no case may it fall below the standards established by other federal or state regulation applicable to that business. The Regulations also specify that a company's security program will be contextually evaluated for compliance based on a variety of factors, including the size, complexity, business model and resources of, the business.
C. Encryption Requirement.
Of particular significance to companies are the stringent encryption requirements in the Regulations. Notwithstanding the results of any risk assessment, the Regulations mandate the use of encryption in three key situations:
- Whenever personal information is communicated over the Internet;
- Whenever personal information is transmitted wirelessly (presumably even within a corporate network); and
- Whenever personal information is stored on laptops or other portable devices (which presumably includes Blackberries, cell phones, iPods, and USB drives).
These encryption requirements (particularly as applied to laptops and mobile devices) go well beyond the law in other states, such as Nevada which requires encryption of personal information when sent over the Internet, and California and Maryland, which require encryption of Social Security numbers when sent over the Internet. Thus they will likely require that companies implement significant new encryption capabilities.
D. Continuing the Legal Trend
While new at the state level, the requirements for a comprehensive security program set out in the Regulations are largely a restatement of the legal definition of "reasonable security" that has evolved over the past several years. Similar requirements for a comprehensive security program are embodied in a series of existing federal financial, insurance, and health care industry laws and regulations and FTC enforcement actions. Massachusetts has now extended that approach to all businesses that use personal information of Massachusetts residents.
As such, the Regulations are the next logical step in a trend that began in 2004 when states began enacting legislation imposing a general obligation on all companies to “implement and maintain reasonable security procedures and practices” to protect personal information about residents from unauthorized access, destruction, use, modification, or disclosure. By adopting the Regulations, Massachusetts has, in effect, become the first state to formalize the definition of "reasonable security" under those laws.
The approach to corporate information security obligations embodied in the Regulations recognizes that legal compliance with security obligations requires a “process” tailored to reflect the unique circumstances and risks of each business, rather than a law that simply identifies a set of specific technological standards or individual security measures. Thus to comply, companies will need to develop and commit to a process that is risk-based, ongoing, continuously reviewed, revised and updated.
For some time, the Federal Trade Commission has expressed the view that this “process oriented” approach to information security represents a general “best practice” for legal compliance that should apply to all businesses in all industries, and has required that defendants implement this approach to security in all of its decisions and consent decrees relating to alleged failures to provide appropriate information security.
At the same time, however, the absolute requirements for encryption of personal data, particularly when stored on laptops and portable devices, represent a significant departure from other developing law. Whether that kind of requirement becomes a trend remains to be seen
The borderless nature of modern electronic commerce may well make the Regulations de facto law of the land for many businesses. Thus, any potentially covered entity should be prepared to conduct a full assessment of its practices and promptly begin to dedicate the financial, legal and technical resources that it will take to comply with complex and sophisticated Regulations that go into effect in slightly more than three months. The Regulations requirements are extensive and will require, prompt, careful, and ongoing coordination and consultation between a covered entity's legal and IT departments.