The new Massachusetts security regulations affect almost every employer in the Commonwealth and many other companies with other relationships with Massachusetts residents. They will require significant security and other policy changes, including encryption of laptops and wireless communications containing personal information.

While the effective date of these rules was recently postponed from January 1 to May 1, 2009, there is a considerable amount of work that companies and entities of all sorts, including many located outside Massachusetts, will need to do to comply.

Broader than GLB

These new privacy and security requirements are broader than Gramm Leach Bliley, and will affect nearly any company that, for example, possesses or uses a Social Security number, driver’s license number, financial account number or credit card of any Massachusetts resident, including employees, customers, vendors, or insureds. There are no industry, sector or out-of-state exemptions, and no de minimus number of employees under the Massachusetts regulations.

Businesses have roughly five months from now to comply with the security regulation, 201 CMR 17.00, which requires any business, regardless of size and location, that owns, licenses, stores or maintains defined personal information of Massachusetts residents, including employees, to develop or revise its existing security policies to satisfy the new Massachusetts requirements. These obligations were reported in our two previous Client Advisories here and here.

Companies are struggling with:

  1. whether SSN’s of Massachusetts employees, used for routine employment, benefit and tax purposes can be isolated or selectively secured, which is especially problematic if the company has employees residing in other states - or whether that is a practical impossiblity given the different servers or data bases on which that data resides;
  2. what level or types of encryption are necessary on what systems;
  3. what security, compliance and monitoring modifications are necessary to what third party service, supply or other contracts; and
  4. what process, systems or architecture assistance will be necessary to identify the next steps in this exercise.

Extension of Deadline

On November 14, 2008, the Office of Consumer Affairs and Business Regulation (“OCABR”) announced that the effective date of the regulation was extended from January 1 to May 1, 2009. At a Boston Bar Association conference on November 12, 2008, David Murray, General Counsel for the OCABR, acknowledged that the OCABR had received many requests to push back the effective date because of compliance difficulties. This extension will coincide with the enforcement date of the new federal Red Flag rules for financial entities and creditors. While these two sets of obligations overlap to a degree, the Massachusetts rules impose additional obligations and apply to a broader range of companies.

Nearly Any Connection to Massachusetts Residents

Under the regulation, all companies that obtain and maintain personal information about Massachusetts residents are affected, including any company (i) with any employee residing in Massachusetts (even if the company is not in Massachusetts), (ii) with a client or insured who resides in Massachusetts from whom the company obtains personal information, (iii) with claim or underwriting information that includes personal information of individuals who are Massachusetts residents (e.g., information produced by insureds to underwriters, or information of claimants maintained in claim files), and (iv) personal information of a Massachusetts resident that it maintains for other reasons. The Massachusetts requirements apply regardless of where the company is located.

Personal information that is subject to the mandatory protection requirements are first and last names (or initial) with any one or more of the following: Social Security number, driver’s license number, financial account number, or credit or debit card number, with or without passwords or PIN.

New Deadlines

The new deadlines under the regulation are:

The general compliance deadline for 201 CMR 17.00 has been extended from January 1, 2009 to May 1, 2009.

The deadline for ensuring that third-party service providers are capable of protecting personal information and contractually binding them to do so is extended from January 1, 2009 to May 1, 2009, and the deadline for requiring written certification from third-party providers is further extended to January 1, 2010.

The deadline for ensuring encryption of laptops is extended from January 1, 2009 to May 1, 2009, and the deadline for ensuring encryption of other portable devices is further extended to January 1, 2010.

Click here to view the official press release announcing the deadline extension.