Docstoc

Massachusetts Extends Effective Date of Data Security Regulations

Document Sample
Massachusetts Extends Effective Date of Data Security Regulations Powered By Docstoc
					DLA Piper | Publications | Massachusetts Extends Effective Date of Data Security Regula... Page 1 of 5

Search

NEWS & INSIGHTS
Publications
4 DEC 2008

Massachusetts Extends Effective Date of Data Security Regulations
ARTICLE E-COMMERCE AND PRIVACY ALERT

by David A. Lieber

General compliance with the final data security regulations, which were released by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) and originally were to go into effect January 1, 2009, will instead take effect May 1, 2009, due to “intervening economic circumstances.” Businesses will have until January 1, 2010, to comply with two distinct data security requirements imposed by OCABR. As noted in our January 3, 2008, E-Commerce and Privacy Alert,1 the regulations will affect every company that stores personal information about Massachusetts residents. The regulations mark the first time that a state has issued detailed data security rules that broadly regulate the storage, transmission, and disclosure of personal information. The Regulations Purpose and Definitions In 2007, Massachusetts enacted an identity theft statute that directed the OCABR to promulgate data security regulations (“Regulations”) that are “consistent with the safeguards for protection of personal information set forth in the federal regulations.”2 While based on the Gramm-Leach-Bliley (GLB) Safeguards Rule, the Regulations depart from the GLB Safeguards Rule in significant ways and contain more prescriptive requirements. The Regulations apply to “persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.”3 The Regulations establish minimum standards for the protection of personal information4 of Massachusetts residents contained in electronic and paper records; they are not limited to records located within the Commonwealth.

http://www.dlapiper.com/mass_extends_date/

12/4/2008

DLA Piper | Publications | Massachusetts Extends Effective Date of Data Security Regula... Page 2 of 5

The purposes of the Regulations are to (1) ensure the security and confidentiality of personal information; (2) protect personal information against threats or hazards; and (3) protect personal information against unauthorized access or use that could create a substantial risk of identity theft or fraud. Duty to Protect and Standards for Protecting Personal Information Under section 17.03 of the Regulations, covered businesses are required to develop a comprehensive written information security program that reflects (1) the size, scope and type of business; (2) the amount of resources available to the business; (3) the amount of stored information maintained by the business; and (4) the sensitivity of the information. The Regulations identify twelve specific elements that all written information security programs must contain. Although some of the elements are similar to those required by the GLB Safeguards Rule, others are more prescriptive. They require businesses to: Develop policies for employees to “keep, access and transport records containing personal information outside of business premises;” Impose disciplinary measures for violations of the plan; Prevent terminated employees from accessing records containing personal information; Take “reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information” and obtain written certification from thirdparty service providers that they are in compliance with the Regulations; Limit the amount of personal information collected, the time personal information is retained, and access to personal information, unless all records are handled as if they contained personal information; Identify records, computing systems, and storage media to determine which records contain personal information; Restrict physical access to records containing personal information, including storing records and data in “locked facilities, storage areas or containers”; and Document responsive actions taken in connection with any incident involving a security breach. As noted in our January E-Commerce and Privacy Alert, many of these requirements reflect best practices. The Regulations, however, are more granular in the data security mandates that are imposed. Other states that have enacted data security laws require businesses to broadly implement reasonable security procedures to protect personal information and/or implement data destruction protocols to ensure the secure destruction of documents and electronic files or media containing personal information. Computer System Security Requirements Section 17.04 of the Regulations requires any business that electronically stores or transmits personal information about Massachusetts residents to “include in its written, comprehensive information security program the establishment and maintenance of a security system covering computers, including wireless systems.” Section 17.04 identifies specific data security protocols that computer security

http://www.dlapiper.com/mass_extends_date/

12/4/2008

DLA Piper | Publications | Massachusetts Extends Effective Date of Data Security Regula... Page 3 of 5

systems must contain, including: Secure user authentication protocols; Secure access control measures, including assigning “unique identifications plus passwords, which are not vendor supplied default passwords”; Encryption, “to the extent technically feasible… [of] all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly”; Monitoring of the system for unauthorized use of or access to personal information; Encryption of all personal information stored on laptops or other portable devices; Reasonably up-to-date firewall protection and operating system security patches; Reasonably up-to-date versions of system security agent software, including malware protection, patches and virus definitions; and Education and training of employees on the proper use of the computer security system and the importance of information security. Regulations Create Significant Compliance Challenges The Regulations create significant compliance challenges for businesses that maintain personal information about Massachusetts residents. The GLB Security Rule has become the de facto regulatory scheme for businesses that are not financial institutions. Businesses that seek to abide by the data security regulations under the GLB Safeguards Rule, however, should be aware of the discrete provisions imposed by the Regulations. Service Providers Section 17.03(f) requires businesses to (1) take reasonable steps in selecting third-party service providers who may have access to personal information and (2) bind third-party service providers, by contract, to maintain safeguards that protect personal information. Section 17.03(f) also requires that "[p] rior to permitting third-party service providers access to personal information, the person permitting such access shall obtain from the third-party service provider a written certification that such service provider has a written, comprehensive information security program that is in compliance with the provisions of these regulations" (emphasis added). Businesses must obtain a separate certification for each thirdparty service provider that handles personal information about Massachusetts residents. This requirement appears to apply to both prospective and existing relationships that companies have with third-party service providers that handle personal information about Massachusetts residents. Identifying Documents and Electronic Files Containing Personal Information Under Section 17.03(h) businesses must identify “paper, electronic, and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to determine which records contain personal information, except where the comprehensive information security program provides for the handling of all records as if they all contained personal information.” The requirement to identify records that contain personal information suggests an inventorying process, unless a business is prepared to treat all information, including non-personally identifiable information, in the same manner as sensitive personal information.

http://www.dlapiper.com/mass_extends_date/

12/4/2008

DLA Piper | Publications | Massachusetts Extends Effective Date of Data Security Regula... Page 4 of 5

Encryption Section 17.04(3) requires "[t]o the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly." Under the Regulations, the term "records" means "any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics." The term "encrypted" means the "transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key, unless further defined by regulation by the office of consumer affairs and business regulation" (emphasis added). Similarly, all personal information stored on laptops or portable devices must be encrypted. Limiting Collection and Retention of Personal Information Section 17.03(g) requires business to limit “the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it was collected” and to limit “the time such information is retained to that reasonably necessary to accomplish the purpose.” Password Protocols Section 17.04(2)(ii) requires that secure access control measures “assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls.” Some computer security experts are questioning the continuing wisdom of relying on password protocols to prevent and restrict access to sensitive personal information.5 The Regulations would require the utilization of unique identifications plus passwords Deadline for Compliance Extended On November 14, citing the current “economic circumstances,” the OCABR extended the general effective date from January 1, 2009, to May 1, 2009, in order to “provide flexibility to businesses that may be experiencing financial challenges brought on by national and international economic conditions.”
6

This date coincides with the new FTC Red Flags Rule compliance date.7

Deadlines for certain specific requirements were extended even further. Businesses now have until January 1, 2010, to obtain written certification from third-party service providers that they are in compliance with the Regulations. Similarly, the deadline for encrypting portable devices other than laptops, such as memory sticks and PDAs, has been extended to January 1, 2010.

1 "Massachusetts Agency Weighing Prescriptive State-Specific Data Security Regulations," DLA Piper E-Commerce and Privacy Alert. 2 Mass. Gen. Laws ch. 93, § 2. 3 201 CMR 17.00 et seq.: Standards for The Protection of Personal Information of Residents of the

http://www.dlapiper.com/mass_extends_date/

12/4/2008

DLA Piper | Publications | Massachusetts Extends Effective Date of Data Security Regula... Page 5 of 5

Commonwealth. 4 Personal information is defined in the same manner as Massachusetts’ security breach statute: a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements: (a) Social Security number; (b) driver's license number or state-issued ID number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. The definition does not cover publicly available information. 201 CMR 17.02 5 Randall Stross, "Goodbye, Passwords. You Aren’t a Good Defense," New York Times, August 9, 2008. (last visited November 18, 2008). 6 "Business Community Given Additional Time to Comply with Identity Theft Prevention Regulations." 7 "FTC Delays Identity Theft ‘Red Flags’ Rule Enforcement For Six Months," DLA Piper ECommerce Alert, October 27, 2008.

http://www.dlapiper.com/mass_extends_date/

12/4/2008


				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:42
posted:12/4/2008
language:English
pages:5