On August 17, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued a second set of revisions to the Standards for the Protection of Personal Information of Residents of the Commonwealth (Massachusetts Standards), 201 CMR 17.00. In support of the revisions, the OCABR also issued Frequently Asked Questions (FAQs). The OCABR has scheduled a public hearing concerning the revised Massachusetts Standards on September 22, 2009. The agency will accept oral and written testimony at the hearing and continue to accept written comments up to September 25, 2009.
The revisions are intended to increase the flexibility of the regulations in a manner that will reduce burdens on entities subject to the rules, particularly small and mid-sized businesses. Among the most notable changes in the regulations are the following.
1. Deadline extended: The compliance deadline for all provisions of the Massachusetts Standards has been extended from January 1, 2010 to March 1, 2010.
2. Elimination of Detailed Inventory Provision: The Massachusetts Standards no longer require a documented inventory of all files containing personal information subject to the regulations. The detailed data inventory provision was among the more burdensome elements of prior versions of the regulations. Accordingly, this should result in resource savings for compliance efforts. Nonetheless, the FAQs state that covered entities should conduct a thorough risk assessment that identifies the records containing personal information so that those records may be appropriately protected. Thus, covered entities should still plan to conduct a reasonable inventory of data sources and paths involving personal information in order to ensure that vulnerabilities and threats are accurately identified and appropriate controls put into place.
3. Elimination of Data Minimalization Obligation: The Massachusetts Standards no longer contain a data minimalization requirement. Previous versions of the regulations obligated covered entities to collect only the personal information that was necessary to accomplish the legitimate purpose for which the data was collected and retain that data only so long as needed to accomplish that purpose. Nevertheless, the FAQs still advise entities to limit the amount of personal information collected and the length of time that such data is stored. While the amendments also removed the reference to limiting access to personal information to those with a reason to know from the data minimalization provision, this requirement is still present in the technical safeguards requirements. See 201 CMR 17.04(2)(a).
4. Risk-Based Approach: While the OCABR press release and FAQs heavily emphasize the concept that the revised Massachusetts Standards take a more risk-based approach to compliance, the changes are not readily apparent. Previous iterations of the Massachusetts Standards were similarly scalable based on the unique circumstances of each covered entity. The prior versions of the regulations stated that the required information security program would be evaluated by the Commonwealth based on the: (a) size and type of the covered business; (b) resources available to the covered business; (c) amount of stored data; and (d) need for security and confidentiality of the personal information. That provision has been removed. In the revised regulations, it is provided that the required information security program should implement safeguards that are appropriate to the four factors listed above. See 201 CMR 17.03(1). This change may make the scalability of the regulations slightly more straightforward, but has little impact on the practical considerations of compliance.
5. Technical Feasibility Test: All technical safeguard requirements are now subject to a technical feasibility test. This amendment has two effects of note.
a. Covered entities are only required to implement technical safeguards that are “technically feasible.” However, the definition of technically feasible provided in the FAQs (“if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used”) is not self-contained. Other portions of the FAQs may provide additional insight into the Commonwealth’s view on technical feasibility. For example, in the discussion of encryption for portable devices, the FAQs note: “there is little, if any, generally accepted encryption technology for most portable devices ….” On the other hand, the FAQs note there is technology available to encrypt laptops. Thus, it may be reasonable to conclude that covered entities are not expected to adopt cutting edge technologies to satisfy the requirements of the Massachusetts Standards, only “generally accepted” technology is necessary.
b. When there is no feasible technical control, the OCABR expects covered entities to take reasonable alternative steps to protect personal information. The FAQs state that if encryption of backup tapes is not technically feasible, entities should take reasonable steps to protect the personal information stored on the tapes. For example, the FAQs suggest using an armored vehicle service to transport backup tapes containing unencrypted backup tapes. Similarly, the FAQs recommend using a secure, password-protected website exclusively to conduct transactions involving personal information if encryption of email is not technically feasible for an entity.
6. Third Parties Must Be Contractually Bound: The revisions restore the explicit requirement to contractually obligate third party service providers to provide safeguards consistent with the Massachusetts Standards for any personal information that they handle on behalf of a covered entity. See 201 CMR 17.03(2)(f)(2). This revised section raises three points of particular interest.
a. The revised Massachusetts Standards include a grandfather clause for third party service agreements entered into before the effective date of the regulations. It should be noted that the current revision presents inconsistent effective dates for the grandfather clause, indicating that contracts entered into prior to March 1, 2010 and March 1, 2012 are exempted from the regulations. We presume that this inconsistency will be addressed in the near future.
b. The revisions also expressly require that the ability to provide safeguards consistent with the Massachusetts Standards must be a factor in the selection, as well as retention, of third party service providers. See 201 CMR 17.03(2)(f)(1). Accordingly, integrating data protection analysis into the due diligence process for third party service agreements will be important going forward.
c. The separate certification requirement for third party service providers, present in the initial version of the Massachusetts Standards, has not been reinserted. Consequently, it appears that once the due diligence investigation has been completed and the necessary contractual clauses have been agreed to, there is no express obligation to certify continuing compliance in writing. Nonetheless, a procedure to periodically review the safeguards applied by third party service providers is still an advisable practice. This procedure could be integrated into the periodic reevaluations of the entity’s information security program required by the Massachusetts Standards. See 201 CMR 17.03(2)(i).
7. New Definition of Who is Covered: The revised Massachusetts Standards introduces new definitions to designate the persons and entities subject to the regulations. The Massachusetts Standards apply to all persons who own or license personal information of Massachusetts residents. See 201 CMR 17.01(2). “Owns or licenses” is now defined as: “receives, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.” 201 CMR 17.02. Similarly, “service provider” is defined as: “any person that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of service directly to a person that is subject to this regulation …” and explicitly excludes the U.S. Postal Service. Id. In practice, the scope of the Massachusetts Standards remains essentially unchanged, but the lines between those who “own or license” and those who are “service providers” are more clearly drawn.
8. Encryption Definition: The definition of encryption has been revised to make it slightly more technology neutral. In particular, the Massachusetts Standards no longer expressly requires encryption to involve an algorithmic process. See id. This change is unlikely to have any significant effect in the near term, but may grant a certain level of flexibility in the long run should non-algorithmic alternative techniques become feasible.
9. Credit Card Swiping: According to the FAQs, businesses that use credit card swiping technology, but do not have actual custody or control of the associated personal information, are not considered owners or licensors of the data and thus not subject to the Massachusetts Standards for that personal information. Nevertheless, the OCABR expects any such merchant to comply with the requirements of the Payment Card Industry Data Security Standard. This exception does not absolve merchants of their obligations regarding employee personal information under the Massachusetts Standards.
10. HIPAA Interaction: The FAQs state that entities that currently comply with the HIPAA Security Rule, 45 C.F.R. Part 164, Subpart C, are subject to the Massachusetts Standards. As a practical matter, the HIPAA Security Rule is more comprehensive than the current version of the Massachusetts Standards so any entity in compliance with the HIPAA Security Rule should not require additional security controls for electronic protected health information (EPHI). However, to the degree that HIPAA covered entities collect and/or use personal information that is not EPHI, such as employee payroll information, that non- EPHI personal information must be protected by safeguards consistent with the Massachusetts Standards. In addition, protected health information that is not stored or maintained in electronic form, and therefore not subject to the HIPAA Security Rule (although subject to the substantial protections of the HIPAA Privacy Rule, 45 C.F.R. Part 164, Subpart E), may require additional safeguards in order to meet the expectations of the Massachusetts Standards.
As noted, the proposed changes are subject to public comment and a hearing, so further changes are possible.