On September 19, 2008, the Massachusetts Office of Consumer Affairs and Business Regulation issued a set of final regulations establishing standards for how businesses must protect and store personal information of Massachusetts consumers. Among the key requirements, businesses must now encrypt all personal information of Massachusetts residents transmitted across public networks or wirelessly, and such information that is stored on laptops or other portable devices. These regulations, designated in 201 Mass. Code Regs. 17.00 et seq., are not set to take effect until January 1, 2009.
The new regulations apply to all businesses and individuals that own, license, store, or maintain personal information of Massachusetts residents. The stated purpose of the regulations is to establish minimum standards that these businesses and individuals must meet to safeguard personal information contained in both paper and electronic records.
I. Comprehensive Security Program
The regulations impose a duty on covered businesses and individuals to develop, implement, maintain, and monitor a comprehensive, written information security program that applies to any “records” containing personal information of Massachusetts residents. As defined in the regulations, “records” means “any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.” The regulations further state that the program must be consistent with industry standards, and contain administrative, technical, and physical safeguards to ensure the security and confidentiality of the records.
To determine whether a security program complies with the regulations, the following factors are considered: (1) the size, scope, and type of business; (2) the resources available to the business; (3) the amount of stored data; and (4) the need for security and confidentiality of the information. As outlined in the regulations, every comprehensive security program must, at a minimum, include the following:
- Designation of one or more employees to maintain the security program;
- Identification and assessment of internal and external risks to the security, confidentiality, and/or integrity of any records containing personal information, and an evaluation of the effectiveness of current safeguards to limit these risks, including:
- Ongoing employee training,
- Employee compliance, and
- Means for detecting and preventing security system failures;
- Development of security policies for employees addressing whether and how employees should keep, access, and transport records with personal information outside the business’ premises;
- Establishment of disciplinary measures for violation of program rules;
- Prevention of terminated employees from accessing records with personal information by immediately terminating their physical and electronic access to the records;
- Verification that third-party service providers with access to the personal information have the ability to protect the information, and such providers are bound by contract to maintain the safeguards;
- Receipt of written certification that a third-party service provider with access to personal information is in compliance with the regulations;
- Limitation on amount of personal information collected and its retention, and the restriction of access such information to a need-to-know basis;
- Identification of records, computing systems, and storage media to determine which records contain personal information;
- Restrictions on physical access to and storage of records containing personal information;
- Regular monitoring of employee access to personal information;
- Review of scope of security measures annually or when material changes take place in business practices; and
- Documentation of responsive actions taken regarding security breach incidents and a mandatory post-incident review to change business practices pertaining to the protection of personal information.
II. Electronic Record Security Requirements Including Mandatory Encryption
For those businesses and individuals that own, license, store, or maintain personal information on Massachusetts residents and electronically store or transmit such personal information, the regulations also require them to establish and maintain security systems that cover computers, including wireless systems, as part of the above comprehensive information security programs. Perhaps most pressing for businesses, is that these computer security systems must now include the following two features: (1) encryption of all transmitted records and files that will travel across public networks and encryption of all data transmitted wirelessly; and (2) encryption of all personal information on laptops and other portable devices.
Additional requirements for the computer security systems include: (1) secure use authentication protocols; (2) secure access control measures; (3) monitoring of systems for unauthorized use of or access to personal information; (4) current firewall protection and operating system security patches for files containing personal information on systems connected to the Internet; (5) current versions of system security agent software that includes malware protection, current patches, and virus definitions, or software that can be supported with current patches and virus definitions and is programmed regularly to receive current security updates; and (6) education and training for employees on why personal information security is importance and how to use the computer security system.