We are fortunate this month to have an article about the New Massachusetts Privacy Regulations written by Karen A. Whitley, Esq. and Kathleen E. Cross, Esq., experts on this subject, and lawyers at Hanify & King, Professional Corporation. Please read carefully.
In response to several highly publicized breaches of confidential customer financial information, the Massachusetts Legislature passed a well-intentioned and straightforward law in August 2007 intended to “safeguard the personal information of residents of the commonwealth.” In February 2009, the Office of Consumer Affairs and Business Regulation (“OCABR”) fulfilled its charge to prepare regulations implementing the new law, with a set of extensive requirements for every person or business which “own[s], license[s], store[s] or maintain[s]” personal information of a resident of the Commonwealth. The breadth, cost and implementation timetable for these regulations, found at 201 C.M.R. 17.00 et seq., has elicited a concerted backlash from notable business groups from lawyers to the mutual fund industry to health care providers.
In the short term, to ease the predicted strain on businesses, the OCABR postponed the deadlines for compliance with the regulations from January 1, 2009 to May 1, 2009, and more recently postponed the deadlines to January 1, 2010. However, many businesses will still be hard pressed to comply fully within that timeframe, especially given the possible added costs for revamping information technology policies and software. Notably, neither the law nor the regulations contain any exemption or opt-out for any category or size of business (which may be as small as a single person’s sole proprietorship). Considerations such as the “size, scope and type of business” as well as the volume of personal data handled by a particular business will be taken into account when evaluating compliance with the regulations. All businesses, including those outside of Massachusetts, are subject to these regulations if they hold personal information of residents of the Commonwealth.
What is Protected: Personal information is specifically defined as a resident’s first name or initial along with his or her last name plus one or more of the resident’s 1) social security number, 2) driver’s license number or state identification card number, 3) financial account number, credit card number, with or without personal i.d. number or password. If any of the foregoing information is lawfully available to the general public, it is not considered personal information under the statute and regulations.
How Personal Information Must Be Protected: Generally, each business must create a written information security program (“WISP”) that sets forth the components of their privacy plan “applicable to any records containing . . . personal information” and customized to their business. The regulations recognize two levels of protection, one generally applicable to all records with personal information and a second level applicable to personal information on computer and other electronic devices.
General Protections for All Personal Information:
Every WISP must contain provisions for:
1) Designating one or more employees to maintain the security program;
2) Placing limits on collection of personal information, on the length of time it is retained, and to the persons allowed access to the information to “that reasonably necessary to accomplish the legitimate purpose for which it is collected”;
3) Identifying all records and places personal information is stored within the business, unless all information will be treated as personal information;
4) Providing, in writing, reasonable restrictions on physical access to personal information and storage of such information in locked areas or containers;
5) Assessing the risk of disclosure of personal information in all records which the business holds, including an assessment of existing safeguards (for example, employee training, compliance with security policies, how breaches of security are prevented/detected);
6) Identifying security policies for employees (for example, use and transport of personal information outside the business, discipline for violations of policy, and cutting off access to information immediately upon termination of employment);
7) Verifying that third-party vendors with access to personal information comply with the regulations, including revising contracts requiring vendors to maintain security safeguards. Effective January 1, 2010, a business must ask each third-party vendor for a certification that it has a WISP which complies with the regulations;
8) Including procedures for regular monitoring and upgrading of security measures;
9) Requiring at least annual review of security procedures or review whenever a business undergoes a material change in practices implicating records containing personal information; and,
10) Outlining procedures for documenting any breach of security, mandatory post-breach review of events and remedial measures to protect personal information.
Protections for Personal Information in Electronic Form: When a person or business “electronically stores or transmits” personal information, the WISP must include security procedures covering computers and wireless systems, such as:
1) Secure user authentication protocols to a) control user ids, methods of assigning and selecting passwords or other unique access technologies b) restrict access to active users and active accounts and c) block access after multiple unsuccessful attempts to access the system;
2) Restrictions on access to records with personal information to only those employees with a “need to know” and assignment of user id plus passwords to access the secure system;
3) Encrypting all transmitted records with personal information that will travel on public networks or by wireless transmissions;
4) Monitoring electronic systems for unauthorized use;
5) Encrypting all personal information on laptops and other portable devices;
6) State-of-the-art firewall, malware and security software as well as OS security patches that are regularly updated; and,
7) Employee training and education on security of electronic personal information.
Although each WISP will be different based on the size and needs of a business, a sample WISP for a small business can be found on OCABR’s website.
Disclosure of a Breach: Disclosure obligations under the statute are triggered whenever a person or business becomes aware of a security breach or that personal information was acquired or used by an unauthorized person or for an unauthorized purpose. A security breach is broadly defined as the unauthorized use or acquisition of encrypted data containing personal information with enough information about the security process to create a substantial risk of identity theft or fraud against a resident. If the person or business merely stores or maintains personal information, it must timely disclose the breach to the owner or licensor and provide required information about the breach as well as cooperate with the owner/licensor. An owner or licensor of personal information must provide notice of any breach to effected residents, the Attorney General of the Commonwealth and the director of OCABR. The statute (c. Mass. G.L. c. 93H) describes the information which must be provided about the breach.
Enforcement: Enforcement will be handled by the Attorney General’s Office, which may seek injunctive relief as well as penalties. The Attorney General’s office has not yet issued any guidance about its enforcement of the law or regulations.
Bottom Line: Almost all businesses will be subject to the new regulations as the most basic personnel information for employees is, by definition, personal information. However, many businesses subject to these regulations already take some, if not all, of the foregoing measures to protect personal information, as well as other information considered confidential or proprietary to its business, whether dictated by law (in which case, these entities may already be considered compliant) or by industry standard. However, most will need to re-examine current protections and practices, if not start from square one, to create a WISP that includes the key components mandated by OCABR. Including a senior IS employee or consultant will be essential for any business keeping personal information electronically. Furthermore, each business should collaborate with any of its third-party vendors who handle personal information to ensure that those vendors (payroll companies, copying facilities, document storage facilities, etc.) are also compliant.
While OCABR is not unsympathetic to this new financial burden for businesses in a difficult economic time, any burden is outweighed by the interest in protecting personal data. In light of the imminent deadline for enforcement, businesses are well-advised to begin the process of bringing systems into compliance as soon as possible.
Concurrent with the survey of information which will be necessary to draft a WISP, it is advisable to review and update other related policies, such as document or email retention policies, confidentiality policies, and policies governing employees’ use of company property, including laptops and electronic devices. In situations where personal information might have been compromised, Hanify & King’s lawyers are also available to help employers determine the appropriate course of action, and will guide employers through the required steps of notifying affected individuals and various governmental agencies.
For more information about the new privacy regulations or for assistance drafting a WISP or implementing other compliance measures and employer policies, please contact Karen A. Whitley, Esq.
Karen A. Whitley, Esq. represents employers and management in all types of employment-related legal matters, including litigation, training, investigations, and counseling. Ms. Whitley is a shareholder of the firm and also a founding member of the firm’s WomenatLaw initiative.
Kathleen E. Cross, Esq. is a shareholder of the firm and a founding member of the firm’s WomenatLaw initiative, concentrating her litigation practice in areas of internal business disputes in closely-held corporations and limited liability companies and partnerships, as well as bankruptcy litigation. Ms. Cross also advises charter schools in all areas of charter school law.
This alert may be considered advertising under the rules of the Supreme Judicial Court of Massachusetts. The information in this alert is provided for background purposes and should not be considered legal advice.