The Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) issued 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, (the “Regulations”) in September 2008.
Almost immediately, the Regulations generated questions and concerns, including about the scope of the standards they imposed and the capacity of many businesses to achieve compliance by the original deadlines, especially in this challenging economy.
The Regulations originally were to take effect on January 1, 2009. By November 2008, however, OCABR recognized that many businesses currently face “economic uncertainties” and, as a result, it extended most of the Regulations’ compliance deadlines to May 1, 2009, including the deadline to encrypt all laptops containing “personal information” as defined by the Regulations. OCABR also extended deadlines for obtaining written certifications of compliance with the Regulations from third-party service providers and encrypting portable devices other than laptops to January 1, 2010.
Even as extended, the Regulations have continued to generate discussion, and on December 1, 2008, OCABR scheduled a public hearing for January 16, 2009, to consider amendments to the Regulations. No one can foresee the outcome of the public hearing. While the Regulations might be amended prior to May 1, 2009, a business handling PI should begin evaluating its existing IT and personal information security policies and procedures now to identify steps it may need to take to comply with the standards discussed below.
Current Scope of the Regulations
The Regulations apply to specific types of personal information about a Massachusetts resident contained in paper or electronic records. “Personal Information” (“PI”) is defined as non-public information consisting of a Massachusetts resident’s first name and last name (or first initial and last name) plus the resident’s (i) Social Security number; (ii) driver’s license number or state identification card number; or (iii) financial account number or credit/debit card number.
As currently drafted, all persons, including individuals and corporate entities, who “own, license, store or maintain” personal information about a Massachusetts resident, must comply with the Regulations without regard to whether the person or the relevant records are located within Massachusetts. Additionally, the Regulations do not differentiate between customers or employees. Therefore, even if a company does not handle PI about its customers, if it stores personal information about its Massachusetts employees, it must comply with the Regulations.
Current Minimum Standards for Compliance
The Regulations require that every individual or company handling PI develop, implement, maintain and monitor a comprehensive written information security program (“WISP”) applicable to any records containing the PI. A particular WISP’s compliance with the Regulations will be determined by taking into account (i) the size, scope and type of business of the individual or company, (ii) the amount of resources available to it, (iii) the amount of private data involved, and (iv) the need for security and confidentiality of consumer and employee information.
At a minimum, however, the Regulations currently require that every WISP:
- Designate at least one employee to maintain the WISP;
- Identify all paper and electronic records, computing systems, and storage media, including laptops and portable devices, that contain PI or, alternatively, treat all records and data as if they all contain PI;
- Identify and assess reasonably foreseeable internal and external risks to paper and electronic records containing PI, and evaluate and improve, where necessary, the effectiveness of current safeguards for limiting those risks;
- Limit the amount of PI collected, the length of time it is stored, and the people with access to it to that which is reasonably necessary to accomplish legitimate business purposes, or to comply with state or federal law;
- Develop policies and procedures covering the secure handling and storage of, and physical access to, paper records containing PI both on and off the business premises;
- Provide procedures for regular employee training, monitoring employee compliance, disciplining employees for WISP violations, and documenting actions taken in connection with any breach of security involving PI; and
- Evaluate and verify that third party service providers with access to a company’s PI have the capacity to comply with the Regulations; contractually require that those third party providers maintain PI safeguards consistent with the Regulations; and obtain written certifications of compliance with the Regulations from those providers before allowing them access to any PI; and
- Regularly monitor, review and upgrade, as necessary, the WISP and its safeguards.
Additionally, any individual or company that electronically stores or transmits records containing PI must establish and maintain a security system for computers and wireless systems, which, at a minimum:
- Provides secure user authentication protocols, including control of user IDs, a reasonably secure method of assigning and selecting passwords or use of unique identifier technologies, secure storage of passwords, restrictions on access to active users only, and blocking of access to the system after repeated failures to gain access;
- Provides secure access control measures that restrict access to electronic files containing PI on a need-to-know basis, and assigns a unique identification plus a password that is not a vendor default password to each person granted that access;
- To the extent technically feasible, encrypts all records and files containing PI that will travel over public networks, and encrypts all data to be transmitted wirelessly;
- Encrypts all PI stored on laptops or other portable devices;
- Provides reasonably up-to-date firewall protection and operating system security patches for any computer system containing PI that is connected to the Internet, and reasonably up-to-date system security software, which must include malware protection, up-to-date patches, and virus definitions; and
- Trains employees on the proper use and importance of the computer security system; and
- Provides reasonable monitoring of systems for unauthorized use of or access to PI.
We would be pleased to keep you informed of any amendments to the Regulations and to assist in the implementation of a compliant WISP. For further assistance, please contact your usual Goulston & Storrs attorney or the author at:
Alan M. Reisch
This client advisory should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own lawyer concerning your situation and any specific legal questions you may have.
Pursuant to IRS Circular 230, please be advised that, this communication is not intended to be, was not written to be and cannot be used by any taxpayer for the purpose of (i) avoiding penalties under U.S. federal tax law or (ii) promoting, marketing or recommending to another taxpayer any transaction or matter addressed herein.
© 2009 Goulston & Storrs – A Professional Corporation All Rights Reserved