New Massachusetts Regulations Create Additional Requirements for Protecting Personal Information
December 01, 2009
by Michael Fleming & James Graves
Businesses that maintain personal data have become accustomed to complying with numerous state and federal laws requiring them to maintain certain levels of data security or privacy. These obligations have often resulted in nearly gut-wrenching changes in businesses' policies and practices, and the risks that arise from violations of these new obligations continue to increase. These companies will soon have a new set of data security and privacy requirements to meet, from the state that brought us the opening shots of the Revolutionary War.
When Massachusetts enacted its data breach notification law in 2007, it included a provision directing the state's Department of Consumer Affairs and Business Regulation to adopt a regulation "designed to safeguard the personal information of residents of the commonwealth." Two years later, the result has been finalized and is scheduled to take effect on March 1, 2010.
The Massachusetts rule prescribes specific practices that a regulated business must use when handling protected data. Unlike data breach notification laws, which only specify what a company must do after a breach has occurred, the Massachusetts rule is an attempt mitigate the risk of a breach happening in the first place.
Existing federal data privacy statutes focus on certain industries like health care or banking. The new Massachusetts rule does not; it regulates anyone with possession or control of protected consumer data. Thus, companies that do not fit within the narrow buckets of federally-regulated businesses can no longer hide from data security obligations, at least when handling data about Massachusetts residents.
This applies even to businesses located outside of Massachusetts. The Massachusetts regulation covers anyone who "receives, stores, maintains, or processes" data about a Massachusetts resident, regardless of where the data is located or where the person holding the data is located. Thus, a website operator in Minnesota with Massachusetts customers would have to protect that customer data in compliance with the Massachusetts rules. Although there is some question about how far Massachusetts can enforce its rules outside its own borders, risk-averse businesses should plan to comply with Massachusetts law with regard to their Massachusetts customers by next March. Having gone that far, many companies may find it more efficient to treat all of their customer data with the Massachusetts-level standards of care.
Anyone subject to the regulation must create and maintain a comprehensive written information security program. That written security program must include, among other things, periodic risk assessments, security awareness training, security system monitoring, physical security measures, and contractual agreements with service providers requiring those service providers to comply with the Massachusetts regulations. The regulation also requires that to the extent technically feasible, data handlers use secure authentication protocols and access control measures, and use virus protection software with up-to-date patches and virus definition files. The regulation also requires personal data to be encrypted when transmitted over a public network, including wireless networks, or when stored on portable devices.
Even after a period of public criticism of earlier drafts and changes in response, the final Massachusetts regulation creates a significant new set of data privacy and security obligations. Some of these requirements will be familiar to businesses that have had to comply with standards such as the Payment Card Industry (PCI) Data Security Standard, Gramm-Leach-Bliley security standards, or HIPAA security rules. Organizations that do not fall within those existing categories may find the new regulation to be more intricate than what they are used to. All organizations with customer data should start now to plan for contingencies to mitigate the risks arising out of these new rules.
- Michael Fleming is a member of the Larkin Hoffman Daly & Lindgren Ltd. Intellectual Property, Technology and Internet Practice. James Graves, CISSP, is a J.D. candidate at William Mitchell College of Law and is a law clerk at Larkin Hoffman.