Sonnenschein’s Internet, Communications, and Data Protection (“ICDP”) Group encourages you to review your data security and privacy programs to make sure you comply with the Massachusetts data security rules, which will take effect on March 1, 2010. The rules require companies to implement a comprehensive information security program that includes administrative, technical, and physical controls to protect sensitive personal information. So let's walk through a few scenarios with the following hypothetical conversation:
I don’t have an office, store, or place of business in Massachusetts, so I’m not that worried about the Massachusetts rules.
Did you know that you might be subject to the rules even if you don’t have a place of business in Massachusetts? If you collect sensitive personal information from anyone who is a Massachusetts resident, you are technically subject to the rules.
What if I don’t have any employees or customers in Massachusetts?
If you do not have an office, store, place of business, employees, customers, users, or any other business dealings in Massachusetts, you may not be required to comply with the Massachusetts rules.
Woo-hoo! Thanks for the update!
You may not want to celebrate just yet. Even if your business isn't covered by the Massachusetts rules, there’s a very good chance that you may be required to comply with at least five different types of state, federal, and industry data security and privacy laws and regulations. If you are covered by the Massachusetts rules, compliance with those rules may give you a head start on complying with some of those other laws. To get an idea of the types of laws that might apply to your business, let’s walk through some questions:
1. Do you have customers, employees, users, and/or patients in more than one state? Do you collect any sensitive personal information, such as Social Security numbers (“SSNs”), drivers’ license numbers, credit card numbers, bank account numbers, health insurance numbers, and/or health information)?
2. Do you collect SSNs from any customers, employees, users, or patients?
If you answered yes to questions one and two, you should be aware that you may be required to comply with at least two federal laws and five different types of state laws, including:
- The FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The FTC has actively used this authority to take action against businesses that have a) not implemented reasonable controls to protect sensitive personal information; or b) disclosed sensitive personal information in ways other than those spelled out in their Privacy Policies;
- The CAN-SPAM Act, which requires businesses to comply with specific requirements when sending commercial emails;
- State data security laws. In addition to the Massachusetts rules, data security laws are already in effect in several other states;
- State data privacy laws. A few states have laws governing website privacy policies, and a couple of states require companies to disclose to customers the types of personal information shares with a third party for marketing purposes or sells to a third party for compensation;
- State SSN laws. Over 30 states have enacted laws governing the collection, use, and protection of SSNs;
- State data destruction laws. Over half the states have laws in effect that require companies to use secure disposal methods when disposing of electronic and hard copy records containing sensitive personal information; and
- State data breach notification laws. Forty-five states and the District of Columbia have laws in place requiring companies to notify affected individuals if their sensitive personal information is compromised as a result of a security breach.
Hmm. I didn’t realize that. Are those the only data security and privacy laws and rules I have to worry about?
We’ll have to go with the standard lawyer answer - that depends. We still have a few more questions before we’re done.
3. Do you accept credit and/or debit cards?
If you accept credit and/or debit cards, you must also comply with requirements in the Payment Card Industry Data Security Standard (“PCI DSS”). All of the major credit card companies (Visa, MasterCard, American Express, Discover, etc.) require all merchants who take credit cards to be PCI-compliant.
Oh, we’re PCI-compliant. We pay some company to scan our systems every quarter like we’re supposed to.
Are you sure? Quarterly vulnerability scans are one of the things that merchants are required to do under the PCI DSS, but they’re not the only thing.
Really? What else do we have to do?
Like the Massachusetts rules, the PCI DSS requires companies to implement administrative, technical, and physical controls to protect payment card information. However, the requirements in the PCI DSS are much more detailed and exacting than those in the Massachusetts rules. Merchants who are found to be non-compliant with the PCI DSS may be fined by the credit card companies.
Wow. So if I take credit cards and store the information, I have to comply with all those state laws AND the PCI DSS, too? That’s got to be everything, right? RIGHT?
It might be, but you probably should go through the last two questions just to be sure.
4. Are you regulated under a sector-specific statute like GLBA or HIPAA?
If your business is classified as a financial institution regulated under the Gramm-Leach Bliley Act (“GLBA”), you’re required to comply with information security and privacy guidance issued by your financial regulator, the FTC, or your state insurance regulator.
If you’re a HIPAA covered entity, you’re required to comply with the HIPAA Privacy and Security Rules. The stimulus bill passed in 2009 significantly increased penalties for violations of the HIPAA Privacy and Security Rules, and made the HIPAA Security Rule directly applicable to Business Associates. HHS has also signaled that they are going to be stepping up enforcement of both rules, so it’s even more important to make sure your business is compliant.
Whew! I went through all the questions, and our business doesn’t collect any personal information from customers, we don’t take credit cards, and we’re not a financial institution or a HIPAA covered entity. Our clients and customers do all those things, but we don’t.
I hate to rain on the parade, but you might not want to break out the champagne just yet.
What do you mean?
You should go back and review the contracts you have with your clients and customers. Many of the laws and rules we just covered, including the Massachusetts rules, specifically require any company that collects sensitive personal information to ensure that any third parties, including vendors, consultants, and contractors, comply with the same laws and rules when handling sensitive personal information of the company’s customers, employees, users, etc.
OK, I get it. I need to make sure my business is compliant with all of these laws and rules. But how on earth do I do that? Where do I even start?
One good way to start is by taking a step-by-step look at how your business collects, processes, protects, stores, and disposes of sensitive personal information. To get some ideas on how to do this, follow our daily blog posts during the month of February. We’ll review some things companies should be doing to make sure they comply with the Massachusetts rules by March 1st.
What about all those other laws and rules you just talked about?
We can’t possibly blog about all those different rules and laws in a single month, so we decided to focus on the Massachusetts rules as a starting point. However, if you have specific questions about the Massachusetts rules, any of the other laws and rules discussed above, or any other data security and privacy questions, please give us a call or send us an email.