Massachusetts Revises Data Security Regulations; Extends Effective Date

Date: Aug 26, 2009

For companies wondering how to deal with the Massachusetts mandate that companies handling certain types of personal information about Massachusetts residents implement a comprehensive written information security program, there is some good news. On August 17, 2009, the Massachusetts Undersecretary of the Office of Consumer Affairs and Business Regulation announced a delay in the effective date of the Massachusetts data security regulations, along with some important revisions. The effective date of the regulations was extended to March 1, 2010.

The Massachusetts regulations apply to any person that receives, maintains, processes, or otherwise has access to "personal information" about a resident, whether in paper or electronic form, in connection with the provision of goods, services, or employment. The "personal information" covered by the regulations is the type subject to most state data breach notification laws, namely, a resident's first name or initial and last name, plus one or more of the following: Social Security number, driver's license number or state identification card number, financial account number or credit or debit card number (with or without any security code, access code, or password that would permit access to a resident's financial account).

Affected persons must develop, implement, maintain, and monitor a comprehensive written information security program that includes, without limitation:

  • Designating employees to maintain the program;
  • Identifying and assessing reasonably foreseeable risks and evaluating safeguards;
  • Developing policies regarding employee storage, access, and transport of records outside the premises;
  • Imposing disciplinary measures for violations;
  • Preventing terminated employees from accessing records;
  • Overseeing third party service providers, and requiring them by contract to implement and maintain appropriate security measures;
  • Restricting physical access to records, and storing records securely;
  • Routine monitoring;
  • Reviewing measures annually or upon a change in business practices occurs; and
  • Documenting responsive actions taken in connection with any breach.

Affected persons must also incorporate into their security programs several computer system security requirements, such as secure user authentication protocols, secure access control measures, encryption, firewall protection and operating system security patches, system security agent software, and employee education and training. The revisions clarify that these requirements, including encryption of personal information stored on laptops and other portable devices, need only be included in the security program "to the extent technically feasible." This broad mandate had created concerns, even though encryption is effectively a defense under most state data breach notification laws.

The intent of the revisions, including the rollback in the effective date, is to assist small businesses that do not handle large amounts of personal information covered by the law in complying, but the delay benefits all businesses potentially affected. The revisions emphasize a risk-based approach to security that takes into account a business' size, scope, and type, available resources, the amount of stored data, and the need for security and confidentiality of consumer and employee information. A public hearing on the revisions will be held on September 22.

While the effective date of the Massachusetts regulations has been extended, so affected entities have more time to implement a formal written data security program, the broader question is whether the Massachusetts law will be the start of proliferating state data security laws that risk the same type of confusion and potential conflict seen with the approximately 45 state data breach notification laws. For example, the various state data breach notification laws impose different requirements as to who must be notified and the content of notifications. In addition, while most state laws tie a breach to unencrypted data, the Massachusetts law in particular extends to encrypted electronic data and the confidential process or key, and the Massachusetts law also applies to data in any form (i.e., electronic or paper).

At the same time, entities that qualify as "financial institutions" or "creditors" with "covered accounts" under the FTC's Red Flags Rule will still need to implement a written identity theft prevention program to comply with the Red Flags Rule by the November 1, 2009 deadline for that Rule. For more information about the Red Flags Rule, click here.

Consumers and businesses both care about privacy and security of sensitive data. Adopting reasonable measures to maintain data security is sensible from a business, commercial and customer relations perspective. However, unduly proscriptive rules or "one-size-fits-all" approaches simply do not work. A flexible framework is needed. Most importantly, national guidance is necessary to avoid inconsistencies that will add confusion and costs to the data security challenge.