Protection of Personal Information: Massachusetts Requires Comprehensive Information Security Policy

Protection of Personal Information: Massachusetts Requires Comprehensive Information Security Policy

Publication

Related Solutions

We help companies protect data, comply with evolving regulations, and respond to investigations and litigation.

The Massachusetts Department of Consumer Affairs and Business Regulation has issued final regulations implementing the Commonwealth's security breach law, Massachusetts General Laws c. 93H (the Regulations). The Regulations, codified at 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, become effective on January 1, 2009, and establish rigorous standards for safeguarding personal Information.

Who is Covered?

The Regulations apply to individuals, corporations, associations, partnerships, and other legal entities that own, license, store, or maintain "Personal Information" about a resident of Massachusetts. The regulations are not explicitly limited to companies doing business in Massachusetts. Yet, there is some question as to whether the Commonwealth could hold out-of-state companies liable for their handling of information about Massachusetts residents collected in other states.

What Information is Covered?

  • Unlike many data breach laws, the Regulations apply to Personal Information kept in both paper and electronic form.

  • The definition of "Personal Information" is broader than the parallel definition in most state laws of this sort, encompassing an individual's first name and last name or first initial and last name in combination with any one or more of the following: (a) Social Security number; (b) driver's license number or state-issued ID; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account, excluding public records data.

What is Required?

Under the Regulations, an Entity must develop, implement, maintain and monitor a comprehensive, written "Information Security Program" that (a) is consistent with industry standards (e.g., ISO), and (b) applies to any records containing Personal Information. As part of that program, the Entity must:

  • Implement administrative, technical, and physical safeguards to ensure the security and confidentiality of such records. In addition, these safeguards must be consistent with existing state and federal law requirements for protection of information "of a similar character" (e.g., HIPAA, GLBA);

  • Designate an employee who is responsible for maintaining the Information Security Program;

  • Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of records containing Personal Information, and evaluate and improve, where necessary, the effectiveness of current safeguards for limiting such risks;

  • Train employees on information security, and discipline them for violations of the Information Security Program rules; and

  • Vet and supervise service providers, which includes acquiring a written certification from each service provider that it has a written information security program that meets the requirements in the Regulations.

What's New?

The Regulations are detailed and proscriptive. For example, the Program must include procedures for:

  1. Determining whether and in what manner employees are permitted to keep, access, and transport records containing Personal Information outside of business premises;

  2. Limiting collection of and retention periods for such information;

  3. Creating and maintaining an inventory of records, IT systems, and storage media, including laptops and portable devices used to store information or records that contain Personal Information. (Alternatively, a Covered Entity may handle all records as if they contain Personal Information.);

  4. Monitoring regularly the compliance with, and the adequacy of, the Information Security Program, including those times in which there is a material change in business practices, but no less frequently than annually;

  5. Documenting all information security breaches and responses in accordance with a written incident response plan that includes mandatory post-incident review of events and describes any modification of information security practices;

  6. Restricting access to records containing Personal Information on a need to know basis using complex and unique ID plus password for each user (i.e., no group IDs), which must be securely stored and terminated promptly when no longer needed; up to date firewall protection, security patches, agent software, malware protection, and virus definitions; and logging/monitoring tools to detect intrusions and misuse; and

  7. Using encryption to protect electronic records, including:
    • To the extent technically feasible, for all transmitted records and files containing Personal Information that will travel across public networks, and encryption of all data to be transmitted wirelessly; and

    • For all Personal Information on laptops or other portable devices.

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.

I Accept Cancel