Massachusetts Data Security Regulations Impose Strict Controls on Employers and Retailers, Impact Outsourcing Relationships

13 October 2008 Publication

Legal News Alert: Privacy, Security & Information Management

The Commonwealth of Massachusetts recently issued final regulations mandating certain data security standards for all individuals and entities that own, license, store, or maintain personal information regarding Massachusetts residents. What this means for companies that hold any personal information about Massachusetts residents is that they will now be required to develop robust policies conforming to the Massachusetts standard, including encryption of personal information on laptops, new certifications from service providers, and amended outsourcing deals.

Almost every company that has employees or customers in Massachusetts will be affected by this new data security regulation. The regulation, springing from the Commonwealth’s 2007 omnibus security breach legislation, mandates specific steps toward the protection of personal information. The regulations define personal information as the combination of first name or initial with last name plus any number of identifiers (such as a Social Security Number) or financial account numbers, precisely the sort of data that employers and retailers are likely to be holding.

As Massachusetts takes the lead in detailing how companies must protect personal information, the following will now be legally required:

  • Designate one or more employees to manage a comprehensive information security program
  • Undertake a risk assessment and act upon the results
  • Develop data security policies with particular consideration of whether and how employees may take personal information outside business premises
  • Impose disciplinary measures for security program violations
  • Promptly remove access by terminated employees
  • Verify that third-party service providers can meet the Massachusetts regulations and obtain written certification that the service providers in fact do conform to the Massachusetts data security requirements
  • Limit the amount of personal information collected, the length of time the data is retained, and the access to those reasonably required to view and use such data
  • Understand precisely where personal information resides in the computer systems, unless the information security program treats all records as if they contained personal information
  • Provide physical and electronic access restrictions and regularly monitor to validate the effectiveness of the security program
  • Undertake program assessments at least annually
  • Fully document post-incident actions with lessons learned incorporated back into the security program

While many companies perform the preceding steps on an informal basis, the new regulations require implementation of a formal information security program. Massachusetts also requires steps usually reserved for data protection in Europe. Specifically, the security program and associated policies must implement user authentication protocols such as password complexity, tracking of active and inactive user accounts, and the use of unique identifiers. Furthermore, all personal information transmitted across public networks must be encrypted “to the extent technically feasible.” For data transmitted wirelessly, even across an internal wireless network, encryption is mandatory. As the Payment Card Industry Data Security Standards move from the WEP wireless encryption standard to WPA, companies should anticipate that internal wireless networks will be held to a similar expectation even when credit card data is not involved.

Additionally, all personal information stored on laptops and other portable devices must be encrypted. The Massachusetts regulation takes a technology-neutral approach to defining encryption but as a practical matter the definition of “breach of security” refers to “unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security…” of the personal information. No more passwords stuck to the bottom of the laptop, please.

The Massachusetts Regulations and Outsourcing Agreements
It is important to note the effect that the new regulations have on third-party outsourcing relationships. Beginning January 1, 2009, an affected company must take reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect that data. Specifically, the regulation provides that “Prior to permitting third-party service providers access to personal information, the person permitting such access shall obtain from the third-party service provider a written certification that such service provider has a written, comprehensive information security program that is in compliance with these regulations.” [italics added].

Therefore, all persons — regardless of their location — who hold certain information on Massachusetts residents and allow access to that data to a service provider will need new due diligence considerations, additional contract language, and a meaningful audit program in order to comply with the Massachusetts data security regulation. Because there is no indication in the regulation of either retroactive effect or grandfather provisioning, companies that currently outsource certain functions would be advised to amend their existing contracts in light of the pending regulation.

Europeans have been accustomed to these types of prescriptive data security rules for the last few years. In the United States, this constitutes a new trend as Massachusetts, Nevada, and Minnesota, among others, begin to codify data security standards. The Massachusetts rule comes into effect on January 1, 2009, so internal data security resolutions should start in earnest now. 

Legal News is part of our ongoing commitment to providing legal insight to our clients and our colleagues. If you have any questions about this alert or would like to discuss this topic further, please contact your Foley attorney or the following individual:

Peter F. McLaughlin
Boston, Massachusetts