E-Alerts
Massachusetts Amends Data Security Regulations
Effective Date Delayed Until March 1, 2010
Yesterday, the Massachusetts Office of Consumer Affairs and Business Regulations (“OCABR”) issued amended implementing regulations related to M.G.L. c. 93H, the state’s data security statute. Responding to the outcry from industry groups, most notably those representing small businesses, OCABR delayed the effective date of the implementing regulations from January 1, 2010 until March 1, 2010.
The amended regulations include several important changes from what was previously required of Massachusetts entities that possess “personal information” (i.e., a Massachusetts resident’s first and last name, or first initial and last name, combined with certain financial information, a social security number, a driver’s license number and/or a state-issued identification number) (201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth). The amended regulations remain perhaps the most comprehensive nationally in attempting to protect against identify theft, although they are now intended to be more aligned with federal law, including the Federal Trade Commission’s Safeguards Rule.
The amended regulations include the following key changes from the prior version of the regulations. While these changes are helpful, they are not dramatic. Unfortunately, these changes do not significantly decrease employers’ compliance obligations.
In addition, OCABR has announced that there will be a hearing on these amended regulations in September, as discussed below.
A Tricky New Definition
The amended regulations appear to narrow the scope of coverage to include only those entities that “own or license” personal information about a Massachusetts resident. In this regard, 17.01 appears to eliminate coverage for entities that “store” or “maintain” personal information. However, in 17.02, the amended regulations define “Owns or licenses” to include the following terms: “receives, maintains, possesses, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.” Thus, what was removed from one section was simply moved elsewhere, and the scope of covered entities does not seem to have been reduced.
Note: per the FAQs, the regulations no longer apply to natural persons who are not engaged in commerce. This change will not affect many, if any, businesses.
Scaled-Back Data Security Audit
The amended regulations eliminate a previous requirement that covered entities must perform a comprehensive inventory of all paper, electronic and other records, computing systems and storage media used to store personal information. Instead, covered entities must now identify and assess reasonably foreseeable internal risks to the security, confidentiality and/or integrity of any records containing personal information. In this regard, however, the change may be more of a technical detail than relevant as a practical matter, because in order to be effective the risk assessment will need to identify which records may contain personal information, so that this information can be appropriately protected.
Thus, it is not clear that this amendment makes a meaningful reduction in the covered entities’ obligations.
Not Much Help For Small Businesses
The amended regulations have been described as adopting a “risk-based” approach to information security which should be more user-friendly to small businesses – but quite frankly, that is not apparent in the amended regulations.
According to OCABR, a risk-based approach “is one that directs a business to establish a written security program that takes into account the particular business’ size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security.” OCABR’s Frequently Asked Questions Regarding 201 CMR 17.00 provides the following example:
[I]f you only have employee data with a small number of employees, you should lock your files in a storage cabinet and lock the door to that room. You should permit access to only those who require it for official duties. Conversely, if you have both employee and customer data containing personal information, then your security approach would be more stringent. If you have a large volume of customer data containing personal information, then your approach would be even more stringent.
In other words, the amended regulations seek to require a “one size does not fit all” approach, and indicate that small businesses may not need to adopt every component of the program, depending upon the nature of the business.
However, the change referenced in the above FAQs is not expressly included in the amended regulations themselves. Likewise, the prior versions of the regulations did not clearly emphasize the “one size fits all” approach to data security.
Significantly, it should also be noted that the amended regulations do not exempt small businesses – which is a measure that had been the subject of serious lobbying efforts on behalf of small business.
Comprehensive WISP Components Reduced
Although the amended regulations still require all covered entities to prepare a Written Information Security Program (“WISP”), several mandated components of the WISP have been eliminated. For example, covered entities will no longer be required to provide a written procedure regarding the manner in which access to records containing personal information is restricted. In addition, the WISP need not contain an explanation of how terminated employees’ access to personal information is prevented or how the covered entity limits the amount of personal information accessed or retained by its employees.
However, while the WISP requirements are now somewhat reduced, the requirement to protect personal information has not been reduced, and thus as a practical matter, the failure to take these and other reasonable measures may lead to liability in the event of a breach that could have been prevented had these measures been taken.
Computer Requirements Limited To The “Technically Feasible”
In a revision that is more form than substance, the regulations no longer expressly require covered entities to undertake technical security measures that are not technologically feasible.
The computer security provisions of the previous version of the regulations required all covered entities to take certain technical steps to protect the storage or transmission of personal information, regardless of whether such steps were technically feasible. The amended regulations require the exact same security measures, but only to the extent that they are “technically feasible.” According to OCABR’s Frequently Asked Questions Regarding 201 CMR 17.00, “technically feasible means that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used.”
So, for example, the amended regulations only require the encryption of all portable devices, backup tapes or email if it is “technically feasible.” For instance, it is technically feasible to encrypt laptops, but it may not be technically feasible to encrypt cell phones, blackberries and other similar devices. Accordingly, personal information should not be stored or transmitted using such devices. OCABR adds that there may be other appropriate safeguards that may be implemented to protect personal information, such as using a secure website or usernames and passwords.
In addition, the amended regulations define encryption in a manner that is less technical, (and perhaps subject to wider interpretation or misunderstanding): “the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.” It is not clear that this revision will have a dramatic impact on compliance obligations.
While there appears to be some sense (or hope) that this amendment will offer some financial relief to smaller businesses, these changes seem to offer relatively minor relief, at best, from the substantial compliance obligations under the data security statute.
Modified – And Delayed – Obligations Re: Third-Party Service Providers
The amended regulations clarify the steps that covered entities must take with regard to third-party service providers that store or maintain personal information owned or licensed by a covered entity. First, the covered entity must take reasonable steps to select and maintain third-party service providers that are capable of taking the necessary measures to protect personal information consistent with the amended state regulations and applicable federal regulations.
Second, the compliance deadline is extended until March 1, 2012. Thus, a covered entity has a two year grace period before it must enter into a contract with any third-party service provider, in which the third party must represent that it will implement and maintain appropriate security measures to protect the covered entity’s owned or licensed personal information.
This amended provision is a significant departure from the prior regulations, in which such contracts were simply recommended. In addition, the amendment seeks to align the state’s contractual requirements for third-party service providers with those under applicable federal law, including the Federal Trade Commission’s Safeguards Rule.
Public Hearing
On September 22, 2009, OCABR will convene a public hearing to allow interested parties an opportunity to present oral or written testimony. In addition, OCABR will accept written comments until the close of business on September 25, 2009. We anticipate that OCABR may provide additional guidance for businesses on the implementing regulations based on this hearing and comments received, but the purpose of the hearing and comments is not crystal clear.
*******
It is not clear to what extent these regulations – or the compliance deadline – may be amended again in the future. We will continue to keep you apprised in future e-alerts and seminars.
For those employers that are not well on their way to compliance, we encourage you to begin immediately. The additional two months is helpful, but not a lot when you consider what must be done.
Data Security Breakfast Seminars
We invite you to participate in our ongoing breakfast seminars during which we provide the latest tips and tools to assist your organization in complying with the Massachusetts data security law and the amended implementing regulations.
Because of popular demand, Schwartz Hannum PC has added dates for its Data Security Regulations Briefings. We currently have openings for breakfast seminars on August 25, October 15, October 27, November 3, and November 17. These seminars will take place at our Andover offices from 8:30 to 10:00 a.m. and will provide an overview of the required compliance measures and offer a roadmap for compliance steps. Attached is a registration form for these presentations.
Each Briefing will address:
- Compliance Measures Covered Entities Must Take By March 1, 2010
- Conducting A Preliminary Audit: Identifying The Sources, Locations And Flow Of Personal Information Through Your Organization
- How to Develop A Comprehensive Written Information Security Policy
- Overview of Encryption Requirements
- Vendor Compliance Issues
- Employee Handbooks and Employment Contracts
Registration is $40.
As always, please do not hesitate to contact us with any questions.
