Trending publication

Office of Consumer Affairs and Business Regulation extends time for compliance

Massachusetts’ businesses facing enhanced data security standards have been given an extension of time to comply with the new requirements issued by the Office of Consumer Affairs and Business Regulation (“OCABR”). The regulations require all businesses and individuals that maintain personal information about Massachusetts residents to take certain steps to assure the security of that information.

The new regulations are a result of a law approved last year to combat identity theft. The law, Chapter 93H of the General Laws, directs OCABR to promulgate regulations setting forth minimum security requirements that apply to any business or individual that maintains a Massachusetts resident’s personal information. The final OCABR regulations, “Standards for the Protection of Personal Information of Residents of the Commonwealth,” require businesses to develop a security program that is consistent with the new standards and to come into compliance by May 1, 2009.

Compliance Dates
The regulations were originally to take effect on January 1, 2009, but OCABR has extended the general compliance deadline to May 1, 2009. The new compliance date was delayed to coincide with the effective date of the new FTC Red Flag Rule, which requires financial institutions and creditors to develop and implement written identity theft prevention programs.

The compliance deadlines for certain components of the new Massachusetts data security standards have been delayed even further. The deadline for obtaining written certification of compliance with the data security requirements from third-party service providers, described below, was extended to January 1, 2010. The deadline for ensuring encryption of certain portable media was also extended; for laptops, to May 1, 2009, and for other portable devices, to January 1, 2010.

What Information Must be Protected?
The law and regulations define “personal information” to mean a Massachusetts resident’s first name, or first initial, and last name, combined with his or her Social Security number, driver’s license number, or any financial account, debit account number, or credit card number -- regardless of whether they are accompanied by the individual’s security code, personal identification number or password.
 
Requirements of the Security Program
Any person or business that owns, licenses, stores or maintains a Massachusetts resident’s personal information must develop and maintain a comprehensive written information security program that is consistent with industry standards and contains safeguards to ensure the security and confidentiality of such personal information. All written security programs must address the following minimum requirements:

1. Information Security Officer – One or more employees must be designated to be responsible for maintaining the information security program.
2. Identifying Risks – The company must identify and assess reasonably foreseeable risks to the security of electronic and paper records that contain personal information.  The program should address minimizing such risks by: (i) implementing employee training programs; (ii) monitoring employee compliance with security program rules; and (iii) improving means for detecting and preventing security system failures.
3. Restricting the Transport of Records – The security program must address how employees should be allowed to keep, access and transport records containing personal information outside of business premises.
4. Disciplinary Measures – The company must impose disciplinary measures for violations of the security program’s rules.
5. Terminated Employees – The security program must immediately deny terminated employees access to both physical and electronic records.
6. Third-Party Service Providers – The company must verify that vendors who have access to personal information are capable of maintaining the required safeguards and contractually require them to take such measures. As of January 1, 2010, the company must also obtain from each vendor a written certification that it is in compliance with the new regulations prior to permitting the vendor to access personal information.
7. Limiting Data Collected – The company must limit the amount of personal information collected, and the duration for which such information is retained, to a level reasonably necessary for its business. In addition, the company must restrict employee access to such personal information to those individuals who are reasonably required to know such information.
8. Identifying Where Records Reside – The security program must identify paper, electronic and other records, as well as other storage media (including laptops) that contain personal information.
9. Limiting Physical Access – Physical access to records containing personal information must be restricted. This includes developing a written procedure that describes how such physical access will be restricted and storing secure records and data in locked facilities, storage areas or containers.
10. Monitoring and Upgrading – The security program must provide for regular monitoring to ensure the prevention of unauthorized access to or use of personal information, and periodic upgrades to security measures as necessary.
11. Reviewing Security Measures – Security measures should be reviewed at least annually or whenever there is a material change in business practice that might impact the security of records containing personal information.
12. Documentation – Any incident involving a breach of security should be properly documented, including a mandatory post-incident review of events and actions taken to determine if there are any changes that should be made to enhance the security program.

Computer System Requirements
The new regulations also specify a minimum set of requirements for computer systems that electronically store or transmit personal information. This set of requirements covers any computer, laptop or other electronic device that stores or transmits personal information, and includes wireless transmissions. The new regulations require that companies utilizing computer systems employ the following:

1. Secure user authentication protocols, which include: (i) the use of user IDs and other identifiers; (ii) a reasonably secure method of assigning and selecting passwords (or the use of unique identifier technologies, such as biometrics or token devices); (iii) company control and secured storage of all data security passwords; (iv) restricting access to active users and active user accounts; and (v) blocking access to user identification after multiple failed attempts to gain access.
2. Secure access control measures that: (i) restrict access to records containing personal information to those employees who need such information to perform their job duties; (ii) assign a unique ID and password (that are not vendor supplied default passwords), to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls.
3. To the extent technically feasible, encryption of all personal information that will be transmitted across public networks or transmitted wirelessly.
4. Reasonable monitoring of the system for unauthorized use of or access to personal information.
5. Encryption of all personal information stored on laptops or other portable devices.  The deadline for ensuring encryption of data on laptops is May 1, 2009, and the deadline for encrypting other portable devices is January 1, 2010.
6. For records containing personal information on a system connected to the internet, reasonably up-to-date firewall protection and operating system security patches reasonably designed to maintain the integrity of such personal information.
7. Reasonable up-to-date versions of system security agent software, with malware and virus protection.
8. Education and training of employees on the proper use of the computer security system and the importance of personal information security.

Evaluating a Security Program
The new regulations provide little guidance on the practical aspects of implementing a security program. However, they do note that in order to determine whether a particular security program is in compliance with the regulations, the following factors will be taken into account:

1. the size, scope and type of business;
2. the amount of resources available;
3. the amount of data stored; and
4. the need for security and confidentiality of the stored information.

OCABR has published additional guidance on how to establish an information security program, including a model program for small businesses, a compliance checklist and answers to frequently asked questions, which are available on OCABR’s website, www.mass.gov/ocabr. While the model program sets forth practical ways to implement the new regulations, it suggests the inclusion of certain provisions that appear to exceed the scope of the new regulations. The model program should be used as a guide and adapted to the particular circumstances of each business or individual implementing a written information security program.

Federally Regulated Institutions are Also Subject to the New Standards
The new standards do not include an exemption for federally-regulated industries, such as financial services or health care organizations. This means that an organization is still subject to the new Massachusetts regulations even if it complies with its applicable federal regulator’s requirements related to the protection of records containing personal information.

This advisory was prepared by Nutter’s Data Security Breach and Privacy Law practice group. For further information, please contact Alexander Glovsky or your attorney at Nutter.

Dawn M. Curry                      Alexander S. Glovsky                
dcurry@nutter.com               aglovsky@nutter.com         
(617) 439-2286                    (617) 439-2618                                

This update is for information purposes only and should not be construed as legal advice on any specific facts or circumstances.  Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.