Under new regulations, each entity that owns, licenses, stores, or maintains personal information about a Massachusetts resident in either electronic or paper form must have a comprehensive written information security program. These regulations have been issued by the Massachusetts Office for Consumer Affairs and Business Regulation ("OCABR") pursuant to the Commonwealth's data breach notification statute enacted last year, M.G.L. c. 93H. On November 14, 2008, the original January 1, 2009 effective date of these regulations was delayed until May 1, 2009 and beyond. The Legislature's Joint Committee on Consumer Protection and Professional Licensure will hold a hearing on the new regulations at 2 p.m. on Wednesday, November 19, 2008.

Scope of New Regulations

The new Massachusetts regulations establish minimum standards for safeguarding personal information about a Massachusetts resident contained in either paper or electronic records.

"Personal information" is defined as a Massachusetts resident's first and last name or first initial and last name together with either a Social Security number, the number of a driver's license or other state-issued identification card number, or a financial account, credit or debit card number.

These regulations, like the underlying data breach notification statute, apply not only to institutions with vast databases, but also to every person, business, or organization of any size that collects social security numbers, financial account, credit or debit card number or other personal information. Even the smallest business typically collects and maintains names of employees together with their Social Security numbers, not to mention sensitive financial account information for automatic deposits, which means that small and large business, alike, will be subject to the new Massachusetts regulations. Further, these regulations apply to any entity (such as a law firm or professional association) that routinely handles personal information (concerning, for instance, its clients or members).

Sliding Scale Compliance Assessment

However, the Massachusetts regulations specifically provide that an entity's efforts to comply with the regulations will be assessed on a sliding scale based upon the size, scope and nature of the entity's activity; the resources available to the entity; the amount of data stored; and the need to ensure the security and confidentiality of the data.

Duty to Protect Personal Information

Every entity covered by the Massachusetts regulations must develop, implement, maintain and monitor a comprehensive written information security program ("WISP") applicable to all records containing personal information. A WISP should be reasonably consistent with applicable industry standards and must be consistent with safeguards required by any state or federal regulations governing the entity. Highlights of WISP requirements include:

  • Designating one or more employees to oversee information security.
  • Assessing reasonably foreseeable internal and external security risks and, if necessary, improving employee training, employee compliance with policies and procedures and measures for the detection and prevention of data breaches.
  • Developing policies for restricting access to personal information by current employees; preventing access by terminated employees; and imposing disciplinary measures for WISP violations.
  • Verifying that third-party service providers with access to an entity's personal information are capable of protecting it and contractually requiring them to maintain such safeguards. The effective date for requiring an entity to obtain written certification from a service provider that the latter has its own WISP has been delayed until January 1, 2010.
  • Limiting the amount of personal information collected, the duration for which it is maintained and access to it based on what is reasonably necessary for the entity to accomplish its legitimate objectives.
  • Identifying all paper records and electronic storage media where personal information may be located and accessed, unless the WISP treats all records as if they contain personal information, and restricting physical access thereto.
  • Regular monitoring and upgrading of the WISP, including reviewing the scope of security measures at least annually or whenever there is a material change in business practices that may affect same.
  • Documenting how the entity responds to any data breach, including mandatory post-incident reviews and resulting changes in its business practices or WISP.

A comprehensive information security program should incorporate appropriately tailored business processes, technology, training, monitoring and review provisions that are coordinated with the implementing organization's business processes. Effective development, implementation and monitoring of a comprehensive information security program requires a joint effort of (i) information technology personnel, (ii) human resources personnel, (iii) business leaders and (iv) legal personnel with experience handling IT and privacy-related matters. For access to some of our briefing materials on developing a comprehensive information security program, please visit our website by clicking here or contacting any of the Day Pitney attorneys listed in this Alert.

Duty to Protect Computer Systems

Where personal information is included in electronic records, a WISP also must provide for the establishment and maintenance of a security system covering the entity's computers, including any wireless system. Key requirements for authentication protocols and access control measures include:

  • Methods for assigning, controlling and securing user IDs, passwords, or other unique identifier technologies, such as biometrics or token devices.
  • Restricting access to active users and active user accounts only.
  • Blocking access after multiple unsuccessful attempts to gain access.
  • Restricting access on a need-to-know basis.

The regulations also call for:

  • The encryption of all personal information to be transmitted wirelessly and, to the extent technically feasible, the encryption of all such information that will travel across public networks.
  • Reasonable system monitoring to detect unauthorized use of or access to personal information.
  • Encryption of all personal information stored on laptops (by May 1, 2009) or other portable devices such as BlackberriesTM or TreosTM (by January 1, 2010).
  • Up-to-date firewall protection and security patches for systems containing personal information that are connected to the Internet.
  • Use of malware protection and virus-scanning software that periodically define new viruses and update security patches accordingly.
  • Employee training on the computer security system and the importance of protecting personal information.

Although the regulations discussed in this Alert affect only personal information collected from Massachusetts residents, similar requirements have been enacted or are being considered in forty-five other jurisdictions. To learn more about the new Massachusetts regulations or about data breach notification statutes in other jurisdictions, or for assistance in developing a comprehensive written information security plan that complies with current statutes and regulations, please contact any of the Day Pitney attorneys listed herein as contacts. The full text of the new Massachusetts regulations, as well as other pertinent information, can be found at Massachusetts OCABR's website by clicking here.