WHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS
Introduction Massachusetts regulations set forth minimum requirements for both the protection of personal information and the electronic storage or transmittal of personal information. These dual requirements recognize the challenge of conducting business in a digital world and reflect the manner in which most investment advisers presently conduct their advisory business. The Standards for The Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00) establishes a duty to protect personal information (defined as a combination of a name along with a Social Security number, bank account number, or credit card number); sets forth standards for the protection of such personal information and mandates the development of a security system covering a company s computers. In brief, the Massachusetts data security regulations require businesses that own or license personal information about Massachusetts residents to develop a comprehensive information security program that contains administrative, technical and physical safeguards for the protection of personal information. These measures must (i) be commensurate with the size and scope of their advisory business and (ii) contain administrative, technical and physical safeguards to ensure the security of such personal information. In addition, companies that store personal information on portable devices (e.g., laptops, PDAs and flash drives) or transmit personal information wirelessly on public networks must deploy encryption and protect against data leakage. The regulations define the phrase owns or licenses as receiving, maintaining, processing or otherwise having access to personal information. 2
Standards for Protecting Personal Information The Massachusetts regulations are quite specific as to what measures are required when developing and implementing an information security plan. Such measures include, but are not limited to: Designating one or more employees to maintain the comprehensive information security program; Identifying and assessing internal and external risks to the security, confidentiality and/or integrity of any electronic, paper or other records containing personal information and evaluating and improving, where necessary, current safeguards for minimizing risks, including, but not limited to: (i) ongoing employee (including temporary and contract employee) training; (ii) employee compliance with policies and procedures; and (iii) means for detecting and preventing security system failures; Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises; Imposing disciplinary measures for violations of the comprehensive information security program rules; Preventing terminated employees from accessing records containing personal information; Taking reasonable steps to select and retain third-party services providers that are capable of maintaining appropriate security measures to protect such personal information consistent with the regulations and any applicable federal regulations; Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; 3
Reasonable restrictions upon physical access to records containing personal information and storage of such records and data in locked facilities, storage areas or containers; Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks; Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information; and Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information. Computer System Security Requirements The Massachusetts regulations require that an information security program include security procedures that cover a company s computer systems. Pursuant to Massachusetts law, any business that uses computers to store personal information about Massachusetts residents must, at a minimum, have the following elements in its information security program: Secure user authentication protocols including (i) control of user IDs and other identifiers; (ii) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; (iii) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (iv) restricting 4
access to active users and active user accounts only; and (v) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system; Secure access control measures that (i) restrict access to records and files containing personal information to those who need such information to perform their job duties; and (ii) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls; To the extent technically feasible, encrypt all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly; Reasonably monitor systems for unauthorized use of or access to personal information; Encrypt all personal information stored on laptops or other portable devices; For files containing personal information on a system that is connected to the Internet, install reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information; Install reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis; and Educate and train employees on the proper use of the computer security system and the importance of personal information security. 5
As can be seen from the above list, what the Massachusetts regulations have generously provided to advisers is, in effect, a shopping list that they can take to their nearest computer consultant. Investment advisers would be well-advised to turn each of the above listed elements into a computer security checklist, find a reputable computer specialist and outsource the project to those people who have the expertise to equip your computer system with the requisite security capabilities. 6
About the Author Scott Gottlieb is the founder and President of U.S. Compliance Consultants. Mr. Gottlieb brings to U.S. Compliance Consultants more than 17 years of experience in developing, implementing, and monitoring compliance programs for investment advisers and hedge funds. U.S. Compliance Consultants is a fullservice consulting firm that specializes in registration and compliance support services for investment advisers. U.S. Compliance Consultants services include investment adviser registration, development of written compliance and supervisory procedures, compliance training, annual compliance reviews and mock compliance audits. U.S. Compliance Consultants can customize a compliance solution to fit the exact needs of your advisory firm. 15 East Putnam Avenue, Suite 286 Greenwich, CT 06830-5424 Phone (888) 798-2930 Fax (203) 702-5420 www.uscomplianceconsultants.com 7