Morgan Lewis

Massachusetts Regulations Governing Protection of Consumer Information to Take Effect March 1, 2010

By Intellectual Property Practice

LawFlash/Client Alert

  • published on:

    08/27/2009

  • by:

    Intellectual Property Practice

downloads/links:

pdfView LawFlash

Massachusetts has joined the growing list of states that are requiring businesses to encrypt and secure personal data. On March 1, 2010, new regulations will take effect that apply to all "persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts." The effective date of the Massachusetts regulations has been postponed three times to give companies time to comply.

The regulations define "personal information" as a Massachusetts resident's first and last name, or first initial and last name, when found in combination with one or more of the following data elements: Social Security number, driver's license number, state-issued identification card number, financial account number, or credit or debit card number. Excluded from the definition of personal information is information lawfully obtained from publicly available information or from government records lawfully made available to the general public.

Every organization that owns, licenses, stores, or maintains personal information about a Massachusetts resident must, as of March 1, 2010, develop and maintain a comprehensive written information security program applicable to records containing such personal information. Both paper and electronic records are subject to these regulations. The written security program must contain administrative, technical, and physical safeguards that are appropriate to the size, scope, and type of business, the resources available to that business, the amount of the stored data, and the need for security and confidentiality of the information. These safeguards must be consistent with any other state or federal regulations that may be applicable to the business.

Every comprehensive information security program must at a minimum include provisions for:

  1. Designating a person to maintain the policy

  2. Identifying and assessing reasonably foreseeable risks to the confidentiality and security of the personal information, and evaluating and improving the effectiveness of safeguards with ongoing employee training, employee compliance, and means for detecting and preventing security system failures

  3. Developing security policies for employees that take into account whether and how employees may keep, access, or transport personal information outside business premises

  4. Imposing disciplinary measures for violations

  5. Preventing terminated employees from accessing personal information by immediately terminating physical and electronic access, including deactivating passwords and usernames

  6. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal information in a manner consistent with the Massachusetts regulations and any applicable federal regulations. This would include use of language requiring third-party service providers to implement and maintain appropriate security measures consistent with the foregoing in contracts entered into after March 1, 2010. (A requirement that companies obtain written certification from venders regarding their compliance with this law, which was in a previous version of the Massachusetts statute, has been eliminated.)

  7. Placing reasonable restrictions upon physical access to records containing personal information, and storage of records and data in locked facilities, storage areas, or containers

  8. Regularly monitoring the security program to ensure it is operating properly, and upgrading information safeguards as necessary to limit risks

  9. Reviewing the scope of security measures at least annually or when a material change in business practices may reasonably implicate the security of personal information

  10. Documenting responsive actions taken regarding any incident involving a breach of security, and mandatory post-incident reviews of events and actions taken, if any

    If any personal information regarding a resident of Massachusetts is electronically stored or transmitted, the written comprehensive information security program must also include, to the extent technically feasible, the following additional elements relating to the computer systems:

    • Secure user-authentication protocols, including controls over user IDs and passwords, limiting access to active users and blocking access after multiple unsuccessful attempts to log on

    • Secure access-control measures, including restricting access to those with a need to know and assigning unique user IDs and passwords

    • Encryption of all transmitted personal information that will travel across public networks or wirelessly

    • Reasonable monitoring for unauthorized use of or access to personal information

    • Encryption of all personal information stored on laptops or portable devices

    • Firewall protection and operating system security patches for any system connected to the Internet

    • Reasonably up-to-date versions of software for protection against malware and viruses, and reasonably up-to-date patches for software

    • Education and training of employees on the proper use of the computer security system

The Massachusetts regulations join requirements already in place in Nevada, Connecticut, and California. The Nevada rules require encryption of all personal information transmitted over electronic networks by entities doing business in that state. Connecticut's recently enacted law requires businesses to undertake "reasonable measures" to protect electronic or other files containing personal information (and imposes a $500 fine for each violation, but not to exceed $500,000 for any single event). California's Office of Privacy Protection takes the position that its generic unfair trade practices laws require businesses to take reasonable steps to protect personal information.

In addition, most states now have laws requiring a business that experiences a breach of personal information to notify the affected individuals in certain circumstances.

Morgan Lewis attorneys have experience guiding businesses through new policies and programs needed to address these new laws and security concerns generally. We have also developed breach-notification plans and assisted businesses in coping with the consequences of a data breach.

For more information about the issues discussed in this LawFlash, please contact one of the following Morgan Lewis attorneys:

Boston
Todd S. Holbrook

Philadelphia
Gregory T. Parks

Washington, D.C.
Ron N. Dreben