The Massachusetts Data Security Law and Regulations



Similar documents
Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

Massachusetts Identity Theft/ Data Security Regulations

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS. Boston, MA Richmond, Virginia Tel. (617) Tel. (804)

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

New Illinois Ethics Rules on Lawyers Reporting Up Responsibilities

MFA Perspective. 201 CMR 17.00: The Massachusetts Privacy Law. Compliance is Mandatory... Be Thorough but Be Practical

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Wellesley College Written Information Security Program

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Protecting. Personal Information A Business Guide. Division of Finance and Corporate Securities

SECTION-BY-SECTION ANALYSIS

COMMONWEALTH OF MASSACHUSETTS. ASSURANCE OF DISCONTINUANCE PURSUANT TO M.GX. c. 93A, S 5 I. INTRODUCTION

S 0134 SUBSTITUTE B ======== LC000486/SUB B/2 ======== S T A T E O F R H O D E I S L A N D

HIPAA Security Alert

FINAL May Guideline on Security Systems for Safeguarding Customer Information

H 6191 SUBSTITUTE A AS AMENDED ======= LC02663/SUB A/2 ======= STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D.

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Health IT: Practical Considerations for the Acquisition and Implementation of Electronic Data Warehouses

California State University, Sacramento INFORMATION SECURITY PROGRAM

HIPAA BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT ( BAA )

DATA BREACH COVERAGE

M E M O R A N D U M. Definitions

BUSINESS ASSOCIATE AGREEMENT

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

KRS Chapter 61. Personal Information Security and Breach Investigations

Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008

BUSINESS ASSOCIATE AGREEMENT TERMS

BUSINESS ASSOCIATE AGREEMENT

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

A Practical Guide to Understanding and Complying with Massachusetts Data Security Regulations. February 2010

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Information Security Policy

HIPAA BUSINESS ASSOCIATE AGREEMENT

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013

Disclaimer: Template Business Associate Agreement (45 C.F.R )

BUSINESS ASSOCIATE AGREEMENT

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

BUSINESS ASSOCIATE AGREEMENT

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

On-Site Medical Clinic Guidelines

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

Business Associate Agreement

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

Michie's Legal Resources. This part shall be known and may be cited as the Tennessee Identity Theft Deterrence Act of [Acts 1999, ch. 201, 2.

COLORADO IDENTITY THEFT RANKING BY STATE: Rank 8, 89.0 Complaints Per 100,000 Population, 4328 Complaints (2007) Updated November 28, 2008

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

HIPAA BUSINESS ASSOCIATE AGREEMENT

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

what your business needs to do about the new HIPAA rules

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

Responding to New Identity Theft Laws

HIPAA BUSINESS ASSOCIATE AGREEMENT

Model Business Associate Agreement

Breach Notification Policy

HIPAA and Privacy Policy Training

BUSINESS ASSOCIATE AGREEMENT

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

Transcription:

The Massachusetts Data Security Law and Regulations November 2, 2009 Boston Brussels Chicago Düsseldorf Houston London Los Angeles Miami Milan Munich New York Orange County Rome San Diego Silicon Valley Washington, D.C. Strategic alliance with MWE China Law Offices (Shanghai)

Massachusetts has enacted some of the most comprehensive state data security laws in the United States. The latest regulations take effect March 1, 2010, and all entities subject to these regulations must be in compliance by that date or risk substantial fines and penalties. As the March deadline looms, companies throughout the United States are wrestling with the question of whether and to what extent these laws apply to their workplace particularly if they do not do business in Massachusetts. To help companies answer that question and chart a course toward compliance, this White Paper provides a comprehensive overview of the Massachusetts data security laws and regulations. Understanding the legal framework for data security in Massachusetts is an important step toward minimizing the risk of enforcement action and avoiding litigation when facing ever-increasing threats to security in the workplace. Overview of Relevant Statutes and Regulations On August 3, 2007, Massachusetts enacted legislation to protect its residents from the growing problem of identity theft. The legislation had three principal components. First, it amended an existing consumer protection law, Massachusetts General Laws Chapter 93, to give consumers the right to obtain a security freeze on their credit report. 1 Second, it enacted a new Chapter 93H, now known as the Massachusetts security breach notification law, which took effect October 31, 2007. 2 Chapter 93H requires, among other things, that entities notify certain state government officials, including the Massachusetts Attorney General and the Director of the Office of Consumer Affairs and Business Regulations (OCABR), in the event of a security breach, and that entities inform consumers whose personal information may have been compromised. 3 Third, it enacted a new chapter 93I requiring entities that store personal information of Massachusetts residents to destroy and dispose of that information in certain prescribed ways. 4 Chapter 93I took effect February 3, 2007. 5 Some of the most sweeping requirements of this legislation came later in the form of regulations entitled The Standards for the Protection of Personal Information of Residents of the Commonwealth 6 (Regulations). The Regulations establish certain minimum standards that covered entities must meet to safeguard the personal information of Massachusetts residents. These Regulations are among the strictest in the nation. In addition to the security breach notification requirements, which the vast majority of states in the country already have on the books, the Regulations go one step further and require covered businesses to take proactive steps in advance of any breach in order to protect the personal information in its possession. The Regulations require full compliance by March 1, 2010. Because the first component of the identity theft legislation the amendments to Chapter 93 concerning security freezes focus more on individual consumers than the typical businesses we serve, this White Paper focuses on the second two components of the legislation, Chapter 93H (and the Regulations adopted thereunder) and Chapter 93I. We discuss each in turn below. Requirements In the Event of a Security Breach (Chapter 93H) Chapter 93H is known as the Massachusetts security breach notification rule. It defines a breach of security as the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information that creates a substantial risk of identity theft or fraud against a resident of the Commonwealth. 7 Importantly, the Massachusetts Regulations do not require notification for good faith but unauthorized acquisition of personal information as long as the personal information is not then (1) used in an unauthorized manner or (2) subject to further unauthorized disclosure. 8 Chapter 93H requires a person to notify certain entities in a prescribed way following a security breach. The statute differentiates between breaches of (1) data that may create a substantial risk of harm and (2) personal information. A security breach may occur even if personal information is not included in the data that is acquired or used without proper authorization, if the acquisition or 1 MASS. GEN. LAWS ch. 93, 56, 62A (2009). 2 MASS. GEN. LAWS ch. 93H (2009). 3 MASS. GEN. LAWS ch. 93H (2009). 4 MASS. GEN. LAWS ch. 93I (2009). 5 MASS. GEN. LAWS ch. 93I (2009). 6 201 MASS. CODE REGS. 17.00 17.05 (2009). 7 Id. 1(a). This White Paper refers to the term security breach and breach of security interchangeably. 8 Id. - 2 -

use of the data creates a substantial risk of identity theft or fraud. In the event that personal information is acquired or used by a person who lacks appropriate authorization to acquire or use such information or is used for an unauthorized purpose, the Regulations trigger certain notification requirements, even if the security breach does not entail a substantial risk of harm. Chapter 93H 3 creates a reporting obligation when a person (1) knows or has reason to know of a breach of security or (2) when the person or agency knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose. 9 The entities that must be notified may include the owner or licensor of the personal information, the Attorney General, the Director of OCABR and any affected individual. Certain entities, such as state agencies, must report breaches to additional entities, such as the Information Technology Division or the Division of Public Records. Notification must occur as soon as practicable and without unreasonable delay. 10 Chapter 93H creates different notice requirements depending upon (1) the type of person or agency that had the security breach and (2) the type of recipient receiving the notification. The statute differentiates between persons and agencies that store but do not own or license personal information 11 and those that own or license data. 12 For parties that maintain or store but do not own or license personal information that is then disclosed without proper authorization, Chapter 93H requires notification of the security breach to additional parties, such as the owner or licensor of the personal information. 13 For owners and licensors of personal information that unauthorized users obtain as a result of a security breach, Chapter 93H requires notice to the Massachusetts Attorney General, the Director of OCABR and the affected resident. 14 The Director of OCABR will then forward the names of select consumer reporting agencies and relevant state agencies to the notifying party. The notifying party must then notify the parties identified by the Director of OCABR as soon as practicable and without unreasonable delay. 15 The Office of the Massachusetts Attorney General has stated that it will permit a delay if (1) notification would hinder a criminal investigation and (2) the law enforcement agency notifies the Attorney General of this fact. 16 The notification to the Attorney General that owners or licensors suffered a security breach or otherwise disclosed personal information without authorization requires three items of information: (1) the nature of the breach that occurred or the event that resulted in the unauthorized acquisition or use of the personal information, (2) the number of Massachusetts residents who had their personal information obtained at the time the person makes the notification, and (3) a description of the procedures that the notifying person or agency took, or anticipates taking, as a result of the incident. The notice to the affected residents must include the consumer s right to obtain a police report, information on how the resident can request a security freeze 17 and what information they will need to provide to obtain such a freeze, 18 and the fees that the consumer reporting agencies will demand. 19 Importantly, Chapter 93H constrains what the notifying party may disclose to the affected resident; the notice shall not provide the recipient with information about (1) the nature of the breach, or other type of unauthorized acquisition or use, that occurred, or (2) the number of residents of Massachusetts affected by the breach or unauthorized access or use of personal information. 20 This is quite different from other state notification rules that actually require the notifying party to disclose the nature of the breach, ostensibly so that the consumer can judge for him- or herself what is the risk of potential identity theft stemming from that breach. By contrast, Massachusetts is concerned that sharing information about the nature of the breach could further jeopardize the confidentiality of the information involved in the breach, particularly if the information is still exposed somewhere, for example, 9 Id. 3. 10 Id. 3 (a) (b). 11 Id. 3 (a). 12 Id. 3 (b). 13 Id. 3 (a). 14 Id. 3 (b). 15 Id. 16 See Scott D. Schafer, Overview of Massachusetts Data Security Laws (June 5, 2009), in New Data Security Rules and Best Practices, Suffolk University Law School CLE Presentation, June 2009 (hereinafter Schafer), at 23. 16 MASS. GEN. LAWS ch. 93, 56, 62A (2009), at 23. 17 A security freeze precludes anyone from opening new credit in the name of the person to whom the freeze is applied or making a credit check on his or her account until the person elects to remove the freeze. A fraud alert does not preclude the affected individual from opening a new credit line or prevent credit checks by the individual or third parties. Instead, it requires notification to the affected individual whenever someone attempts to open a new line of credit for the affected individual. A fraud alert requires renewal every quarter. 18 MASS. GEN. LAWS ch. 93, 56, 62A. 19 Id. 20 MASS. GEN. LAWS ch. 93H, 3(b). - 3 -

through internet cache pages. The bottom line is that any breach notification letter sent to a Massachusetts resident should omit the two pieces of information listed above. Furthermore, Chapter 93H provides that certain entities covered by federal breach notification laws shall be deemed in compliance with Chapter 93H, so long as the entities comply with the federally mandated procedures to which they are subject when a breach occurs and so long as they notify appropriate Massachusetts officials and affected residents. Specifically, the statue provides that a person who maintains procedures for responding to a breach of security pursuant to federal laws is deemed to be in compliance with this chapter if the person notifies affected Massachusetts residents in accordance with the... required procedures when a breach occurs;.. [as well as] the attorney general and the director of [OCABR]... as soon as practicable and without unreasonable delay[.] 21 For example, a business covered by the Health Information Portability and Accountability Act (HIPAA) that follows the HIPAA-required procedures in the event of a breach need not comply with 93H, so long as the business notifies appropriate Massachusetts officials and affected residents. 22 The statute also provides details as to what should be included in the notice to the officials. Finally, in addition to the notification requirements, Chapter 93H directs OCABR to adopt regulations relative to any person that owns or licenses personal information about a resident of the [C]ommonwealth. 23 The statute describes the purpose and objectives for the regulations, and notes that the regulations shall take into account the person s size, scope and type of business, the amount of resources available to such person, the amount of stored data, and the need for security and confidentiality of both consumer and employee information. 24 The Massachusetts Regulations In response to the Chapter 93H directive, OCABR released the first final Massachusetts Regulations on September 19, 2008. 25 OCABR has since revised the Regulations twice and postponed the effective date several times. OCABR released the most recent final version of the Regulations on October 30, 2009, and they are set to be published in the official register on November 13, 2009, which will be the effective date of the Regulations. 26 Despite being effective on that date, full compliance with the Regulations is not required until March 1, 2010. Starting March 1, 2010, the Regulations require all persons who own or license personal information about a Massachusetts resident to have in place minimum standards regarding the protection of the security, confidentiality and integrity of such personal information. 27 As set forth in more detail below, the Regulations oblige businesses to, among other things, (1) perform risk assessments as to the security, confidentiality and integrity of any records containing personal information, (2) create a comprehensive, written information security program, (3) take reasonable steps to verify that any of their third-party service providers with access to personal information can safeguard such information in compliance with the Regulations, and (4) observe certain minimum standards for administrative, physical and computer system security compliance as well as security incident response. Five sections comprise the Regulations. Section 17.01 explains the purpose and scope. Section 17.02 defines terms. Section 17.03 imposes several duties on owners and licensors of personal information. 28 Section 17.04 specifies the minimum security requirements for securing computer systems. Section 17.05 contains just one line that mandates full compliance by March 1, 2010. 21 MASS. GEN. LAWS ch. 93H, 5 (2009). 22 See id. 23 Id. 2(a). 24 Id. 25 201 MASS. CODE REGS. 17.00 17.04 (2008). 26 201 MASS. CODE REGS. 17.00 17.05 (2009). 27 201 MASS. CODE REGS. 17.01. 28 Persons who own or license are defined to also include persons who receive, maintain, process or otherwise have access to personal information in connection with the provision of goods or services or in connection with employment. Id. 17.02. - 4 -

SECTION 17.01 Section 17.01 describes the purpose and scope of the Regulations. Fundamentally, the Regulations establish minimum standards to protect personal information consistent with Chapter 93H. 29 The stated objectives for implementing the Regulations are to (1) protect the security and confidentiality of customer information consistent with industry standards, (2) protect against unanticipated threats or hazards to the security or integrity of customer information and (3) protect against unauthorized access to or use of customer information that may result in substantial harm or inconvenience to any consumer. 30 Certain elements of these objectives are not contained within the sections of the Regulations providing directives to covered persons. For example, the concepts of consistency with industry standards or inconvenience to customers do not appear elsewhere in the Regulations. Similarly, the term customer is not defined nor is it used in the latter sections of the Regulations. Instead, those sections use the term consumer, which is likewise undefined. To date, OCABR has not explained the discrepancy nor has the Massachusetts Attorney General indicated what impact, if any, the objectives will have on enforcement. The second paragraph of Section 17.01 explains that the Regulations apply to all persons that own or license personal information about a resident of the Commonwealth. 31 Notably, the Regulations do not contain a geographical limitation to their application. SECTION 17.02 Section 17.02 contains definitions of some of the key terms used in the Regulations. The Regulations apply to any person that owns or licenses personal information of a resident of the Commonwealth. 32 Persons include natural persons, business entities and other legal entities. 33 The phrase owns or licenses means the person receives, stores, maintains, processes or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment. 34 The Regulations define personal information as a Massachusetts resident s first name and last name or first initial and last name in combination with at least that resident s (1) social security number, (2) driver s license number or other state-issued identification card number, or (3) financial account number or credit or debit card number. 35 The Regulations protect personal information contained in records that are in paper or electronic form. 36 For purposes of this White Paper, we refer to persons that own or license personal information as covered persons. SECTION 17.03 For individuals and businesses seeking to comply with the Regulations, the most significant responsibility is to create, monitor and maintain a comprehensive written information security program (WISP) consistent with Section 17.03. 37 Section 17.03 details numerous components that must be contained in the WISP. In addition to the various requirements contained in the Regulations, the WISP must also prove consistent with personal information safeguards contained in any other relevant state or federal regulations. 38 Section 17.03 starts by describing the most practical requirements for a WISP; namely, the WISP must be written and it must comprise one or more readily accessible parts. 39 The Regulations then broadly describe the types of safeguards that should be contained in the WISP. These safeguards must include administrative, technical, and physical components that ensure the security and confidentiality of records containing personal information. 40 The types of safeguards that may be appropriate vary significantly depending upon the nature of the entity and the type of personal information involved. The Regulations prescribe a four factor risk-utility assessment to evaluate the adequacy of any individual WISP s safeguards. Those factors are: (1) the size, 29 Id. 17.01(1). 30 Id. 31 Id. 17.01(2). 32 201 MASS. CODE REGS. 17.02, 04. 33 Id. 34 Id. 35 Id. Under the Regulations, information lawfully obtained from publicly available resources such as federal, state or local governments is not considered personal information. 36 Id. 37 Id. 17.03(1). 38 Id. 39 Id. 40 Id. - 5 -

scope and type of business of the covered person; (2) the resources available to such person; (3) the quantity of stored data; and (4) the need for security and confidentiality of both consumer and employee information. 41 Within that general framework, the second paragraph of Section 17.03 lists various components which every WISP must include. First, every WISP must appoint at least one employee to maintain the program. 42 In most cases, such employee or employees will be responsible to implement the WISP in the first instance, and for continued monitoring and maintenance of the program, as well as responding to security events such as breaches. Second, the WISP must include policies and procedures to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any... records containing personal information. 43 These risk assessments require the covered person to examine and, where necessary, improve the effectiveness of existing safeguards intended to limits such risks. Areas that must be monitored and improved include, at a minimum, training of employees and contractors, 44 employee compliance with the applicable security policies and Regulations, 45 and the means for detecting and avoiding system failures that could result in the unauthorized disclosure of personal information. 46 Third, in light of the risks identified in the risk assessments, covered persons must create data security policies that effectuate the WISP s administrative, technical and physical safeguards. The types of policies required by Section 17.03 fall into three general types: (1) personnel policies (including employees and third-party service providers); (2) policies relative to physical access to personal information; and (3) policies and procedures for responding to breaches of security. Personnel policies should contain all components necessary to effectively protect the security of personal information. Under Section 17.03, policies applicable to employees must, at a minimum, cover the storage, access and transportation of records containing personal information outside of the business premises, 47 and must implement measures to prevent terminated employees from accessing records containing personal information. 48 Violators of the WISP must face disciplinary measures. 49 Data security policies should apply to employees, contractors or other service providers alike. In fact, under Section 17.03, covered persons are required to take reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal information consistent with the [R]egulations, 50 and to prospectively require that service providers contract to implement and maintain appropriate security measures. 51 The Regulations provide that where a business has entered into a multiyear contract prior to March 1, 2010, it has a grace period of two years from that date (in other words, until March 1, 2012) to make the contract comply with the third-party service provider requirements of the Regulations. 52 In addition, the WISP must contain policies on physical access to records containing personal information. Section 17.03 requires that the WISP contain reasonable restrictions on physical access to records containing personal information. 53 Physical access policies should include any restrictions that may be appropriate to protect the security of personal information, but must require that records and data containing personal information are stored in locked facilities, storage areas or containers. 54 41 Id. 42 Id. 17.03(2)(a). 43 Id. 17.03(2)(b). 44 Id. 17.03(2)(b)(1). 45 Id. 17.03(2)(b)(2). 46 Id. 17.03(2)(b)(3). 47 Id. 17.03(2)(c). 48 Id. 17.03(2)(e). 49 Id. 17.03(2)(d). 50 Id. 17.03(2)(f)(1). 51 Id. 17.03(2)(f)(2). 52 Id. 53 Id. 17.03(2)(g). 54 Id. - 6 -

Section 17.03 further requires the WISP to include policies and procedures for responding to a breach of security. At a minimum, such policies must include (1) the covered person s plan for documenting its response to any incident that involves a breach of security, (2) mandatory post-incident review and (3) the steps taken to modify existing business practices affecting personal information. 55 Finally, Section 17.03 requires covered persons to undertake a program of ongoing monitoring and maintenance. The WISP must ensure that the covered entity (1) regularly monitors compliance with the WISP in a reasonably calculated way to prevent unauthorized access to or use of the personal information and (2) updates its information safeguards when necessary to mitigate risks. 56 In addition, the Regulations require the covered entity to review the scope of its security measures (1) at least annually or (2) whenever a material change occurs in the covered person s business practices that may reasonably implicate the security or integrity of those records that contain personal information. 57 SECTION 17.04 Section 17.04 builds upon the framework outlined in Section 17.03 and imposes obligations upon covered persons with respect to systems that store or transmit personal information, including wireless systems. 58 The Regulations delineate a lengthy list of components that must, at a minimum, and to the extent technically feasible, be included in the WISP. 59 The covered person s WISP must address (1) the use of secure user authentication protocols, 60 (2) the use of secure access control measures, 61 (3) the encryption of transmissions of personal information over networks, 62 (4) the monitoring of systems, 63 (5) the encryption of all data containing personal information stored on laptops or other personal devices, 64 (6) the firewalling and patching of operating systems for systems connected to the Internet over networks, 65 (7) the installation and updating of security agent software, 66 and (8) the education and training of workers on the proper use of computer security systems and the importance of protecting personal information. 67 Covered persons must employ secure user authentication protocols. Section 17.04(1) enumerates five elements of such protocols. They include managing user IDs and other identifiers; 68 employing reasonably secure ways of assigning and determining passwords or other similar attributive technologies, including biometrics or tokens; 69 managing passwords so that they are stored in secure locations and/or in formats that sufficiently protect the data they safeguard; 70 restricting access to only active users with active accounts; 71 and blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system. 72 In addition, covered persons must implement secure access controls. 73 Such controls must limit access to records and files that contain personal information to those users who have a legitimate reason to access such personal information in order to perform 55 Id. 17.03(2)(j). 56 Id. 17.03(2)(h). 57 Id. 17.03(2)(i). 58 Id. 17.04. 59 Id. According to the Office of Consumer Affair s Frequently Asked Questions Regarding 201 CMR 17.00, the standard of technical feasibility takes reasonableness into account. http://www.mass.gov/eoca/docs/idtheft/201cmr17faqs.pdf. 60 Id. 17.04(1). 61 Id. 17.04(2). 62 Id. 17.04(3). 63 Id. 17.04(4). 64 Id. 17.04(5). 65 Id. 17.04(6). 66 Id. 17.04(7). 67 Id. 17.04(8). 68 Id. 17.04(1)(a). 69 Id. 17.04(1)(b). 70 Id. 17.04(1)(c). 71 Id. 17.04(1)(d). 72 Id. 17.04(1)(e). We have quoted this provision exactly but believe it means the protocols should include blocking access to user authentication after (1) multiple unsuccessful attempts to gain access or (2) any attempt to circumvent the limitation placed on access for the particular system. OCABR has not yet clarified the meaning of this provision. 73 Id. 17.04(2). - 7 -

their job duties. 74 The requisite secure access controls also include assigning unique user IDs and passwords to each person with access to computer systems that are reasonably designed to maintain the integrity of the security of the access controls. 75 Such user IDs and passwords must differ from default vendor-supplied passwords. 76 The Regulations require encryption 77 of all records and files that the covered person transmits so long as they (1) contain personal information and (2) travel across public networks. 78 A covered person must encrypt any data containing personal information that he or she will transmit wirelessly. 79 The Regulations also requires the encryption of personal information stored on laptops or portable devices. 80 With respect to monitoring, the Regulations require reasonable monitoring of systems. 81 unauthorized (1) use of or (2) access to personal information. 82 This includes watching for the The Regulations also impose obligations upon covered persons to protect computer systems. The WISP must include a security system that, to the extent technically feasible, includes running system security agent software that includes (1) malware safeguards and (2) reasonably up-to-date software patches and virus definitions or legacy security agent software that has the ability to receive such patches and virus definitions. 83 Covered persons must set up the system-security software to receive regularly the most current security updates. 84 The Regulations impose additional requirements on covered persons who connect systems with files containing personal information to the Internet. These include installing reasonably up-to-date (1) firewall protection and (2) operating system security patches, both of which must be reasonably designed to maintain the integrity of the personal information. 85 Finally, Section 17.04 makes covered persons responsible for educating and training employees on (1) how to use computer security systems properly and (2) the importance of securing personal information. 86 SECTION 17.05 The final section requires that all covered persons be in full compliance with the Regulations on or before March 1, 2010. Data Disposal Requirements (Chapter 93I) Chapter 93I creates certain requirements for disposing of and destroying personal information, which includes biometric indicators, so that it cannot practicably be read or reconstructed. 87 The statute applies to physical records as well as electronic media. The required method of data disposal or destruction is contingent upon the media type. Persons or agencies disposing of or destroying paper records must burn, redact, pulverize or shred the records so that unauthorized persons cannot read or reconstruct the personal information. 88 Persons or agencies disposing of or destroying electronic records or other types of media 74 Id. 17.04(2)(a). 75 Id. 17.04(2)(b). 76 Id. 77 Chapter 93H defines encrypted as a transformation of data employing a key length of at least 128 bits, unless further defined by regulations. 201 Mass. Code Regs. 17.00 does not further define the key length requirements for the encryption of personal information. Instead, 17.02 defines encrypted as the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key. 78 Id. 17.04(3). 79 Id. 80 Id. 17.04(5). 81 Id. 17.04(4). 82 Id. 83 Id. 17.04(7). 84 Id. 85 Id. 17.04(6). 86 Id. 17.04(8). 87 MASS. GEN. LAWS ch. 93I, 2(a) (b). 88 Id. 2(a). - 8 -

containing personal information must destroy or erase the media to accomplish the same ends. 89 In actual practice, this may require degaussing hard drives, running data scrubbing software utilities that include multi-pass writes over hard drives, physically destroying drives or backup tapes, or other similar actions. Under Chapter 93I, persons may contract with third-party vendors to destroy or dispose of their data. 90 These third-party vendors, however, must implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation and disposal of personal information. 91 Under Chapter 93I, violations may result in civil fines amounting to $100 per affected data subject, with such fines capped at $50,000 for each instance of non-compliant disposal. 92 In addition, the Attorney General has the authority to recover penalties through a civil action. 93 Section 3 allows the Attorney General to bring an action pursuant to the Massachusetts Regulation of Business Practices for Consumers Protection 94 in the event of non-compliant disposal or destruction of records. Enforcement With respect to enforcement, Chapter 93 expressly permits individuals to bring suit to enforce its provisions, while both Chapters 93H (including the Regulations) and 93I only expressly permit enforcement by the Massachusetts Attorney General. Experts question, however, whether courts will also permit individuals to bring suit under the consumer protection provisions of Chapters 93 and 93A to remedy violations of Chapters 93H and 93I. In addition, there is always the potential for an individual consumer to bring actions (individually or as class representatives) in Massachusetts courts asserting tort claims and claims for unfair or deceptive business practices against companies whose actions or inactions caused them harm, such as in the case of a preventable security breach that results in theft of the consumer s identity. Furthermore, the Massachusetts Attorney General has consistently maintained that enforcement will not have geographic boundaries. This essentially means that if an out-of-state business has personal information of a Massachusetts resident, and there is a breach of security of that information, the business can expect to be held accountable in Massachusetts for failures to comply with applicable Massachusetts data security laws and regulations. Despite the Attorney General s clear conviction, courts may ultimately have to resolve the issue of jurisdiction in these cases. The determination generally comes down to whether an extraterritorial business has sufficiently availed itself of the resources of the Commonwealth of Massachusetts to be subject to the jurisdiction of its courts. To the extent a company does, in fact, do business in Massachusetts, it can expect to be held accountable in Massachusetts. To the extent a company has no physical connection to Massachusetts, it may escape the reach of the Massachusetts courts and its Attorney General. There are many types of business connections with a state, however, that courts have construed to be availing oneself of the resources of that state. For example, courts have concluded that selling goods and services on the worldwide web qualifies as availing oneself of worldwide jurisdiction. For this reason, businesses that are located outside of Massachusetts but whose businesses in any way touch Massachusetts (including through the virtual world) should consult with counsel to determine whether they have an obligation to comply with the Massachusetts data security laws. In all events, whether it is the Attorney General or individual consumers leading the charge, companies that are subject to the Massachusetts data security laws and regulations face substantial penalties and litigation costs following a security breach involving personal information of a Massachusetts resident. This, of course, is in addition to provable damages, which could potentially be tripled under Massachusetts consumer protection laws. For these reason, companies throughout the United States are wise to evaluate the extent to which they are subject to the Massachusetts data security laws and regulations and, if so, to begin to chart a course toward compliance. 89 Id. 2(b). 90 Id. 2(b) (flush language). 91 Id. 92 Id. 3; MASS. GEN. LAWS ch. 93A 4 (2009). 93 Id. 3. 94 MASS. GEN. LAWS ch. 93A 4 (2009). - 9 -

For more information, please contact your regular McDermott lawyer, or: Stephen W. Bernstein: +1 617 535 4062 sbernstein@mwe.com Vanessa Gilbreth: +1 617 535 4477 vgilbreth@mwe.com Heather Egan Sussman: +1 617 535 4177 hsussman@mwe.com Stephen White: +1 617 535 4029 swhite@mwe.com For more information about McDermott Will & Emery visit www.mwe.com The material in this publication may not be reproduced, in whole or part without acknowledgement of its source and copyright. The Massachusetts Data Security Law and Regulations is intended to provide information of general interest in a summary manner and should not be construed as individual legal advice. Readers should consult with their McDermott Will & Emery lawyer or other professional counsel before acting on the information contained in this publication. 2009 McDermott Will & Emery. The following legal entities are collectively referred to as "McDermott Will & Emery," "McDermott" or "the Firm": McDermott Will & Emery LLP, McDermott Will & Emery/Stanbrook LLP, McDermott Will & Emery Rechtsanwälte Steuerberater LLP, MWE Steuerberatungsgesellschaft mbh, McDermott Will & Emery Studio Legale Associato and McDermott Will & Emery UK LLP. McDermott Will & Emery has a strategic alliance with MWE China Law Offices, a separate law firm. These entities coordinate their activities through service agreements. This communication may be considered attorney advertising. Previous results are not a guarantee of future outcome. - 10 -

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information