White Paper: Protection of Personal Information Law

December 2008

I. Overview
M.G.L. c. 93H, enacted in 2008, requires any “person” (corporation, association, partnership or other legal entity) to take steps to safeguard all “personal information in their possession related to a resident of Massachusetts.” The purpose of this law is to ensure the security and integrity of such information and to combat the threat of identity theft.

The state Office of Consumer Affairs and Business Regulation (“OCABR”) has issued regulations detailing the steps that businesses need to take to comply with the new law. These regulations set forth in 201 CMR 17.00 were initially to be effective January 1, 2009, with a few requirements phased in thereafter, but the deadline for full compliance was eventually extended by OCABR to January 1, 2010, in an effort to give businesses extra time to comply with the new law’s complex obligations.

The regulations define “Personal Information” as including the following numbers whenever they are associated with a particular person’s name (first and last name or, first initial and last name):

▪ Social Security number;
▪ Driver’s license or state issued ID number; and
▪ Financial account number or credit/debit card number where such numbers
would permit access to the person’s financial account.

The Sample Information Security Plan published by the OCABR is appended to this white paper. The law provides for the issuance of separate regulations for public employers.

II. Development and Implementation of a Security Plan
Any employer/business who maintains the above-referenced personal information of any of its customers or employees must, by May 1, 2009, have in place a comprehensive written security program to protect the confidentiality of such information. The program must contain administrative, technical and physical safeguards.

In evaluating whether or not a particular comprehensive security program is compliant with the regulations, the state will take into account several factors such as the size and nature of the business, its resources, the volume of the stored data and the need for security. However, the regulations enumerate certain mandatory criteria that must be included in every business’ information security program.

The first such requirement mandates the designation of a Data Security
Coordinator who is charged with implementing, supervising and maintaining the Security Plan. He/she is responsible for training employees, managers and contractors, ongoing testing of the plan, overseeing compliance by third-party service providers and their contracts, and reviewing the scope of the security plan at least annually or whenever there is a material change in business practices that affects the security of personal information records. In addition, all comprehensive security programs must at a minimum include the following:

● Identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to: (i) ongoing employee (including temporary and contract employee) training; (ii) employee compliance with policies and procedures; and (iii) means for detecting and preventing security system failures.

● Security policies for employees must be developed that take into account whether and how employees should be allowed to keep, access and transport records containing personal information outside of business premises.

● Imposition of disciplinary measures for violations of the comprehensive information security program rules.

● Prevention of terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names.

● Reasonable steps must be taken to verify that third-party service providers with
access to personal information have the capacity to protect such personal information in the manner generally set forth in the regulations and ensuring that third-party service providers apply protective security measures at least as stringent as those required pursuant to the regulations.

● The amount of personal information collected must be limited to that reasonably necessary to accomplish the legitimate purpose for which it is collected; limiting the time such information is retained to that reasonably necessary to accomplish such purpose; and limiting access to those persons who are reasonably required to know such information in order to accomplish such purpose or to comply with state or federal record retention requirements.

● The identification of paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information to determine which records contain personal information, except where the comprehensive information security program provides for the handling of all records as if they all contained personal information.

● Reasonable restrictions must be imposed upon physical access to records containing personal information, including a written procedure that sets forth the manner in which physical access to such records is restricted; and storage of such records and data in locked facilities, storage areas or containers.

● Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.

● A review of the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.

● The documentation of responsive action taken in connection with any incident involving a breach of security and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

III. Computer System Requirements
The Regulations also mandate that any business that electronically stores or transmits personal information must maintain a security system for its computers and any wireless system. There are eight established elements that at a minimum must be included in any computer security system.

(1) In order to secure computer use authentication protocols, the regulations require that a business establish a “reasonably secure” method for the assignment and selection of passwords or that the business use a unique identifier technology such as biometrics or token devices. A system for the control of data security passwords must be implemented that maintains such passwords in a location or format that protects their security. Access must be restricted to active users so that former employees cannot compromise the computer system and its stored information. The system must also be set up in a manner so that access is blocked to user identification after multiple failures to gain access.

(2) Businesses must restrict access to personal information records to those who have a need to know such information in the performance of their job duties. In addition, such employees with computer access must be assigned unique identifications plus passwords. Such passwords cannot be vendor supplied default passwords.

(3) To the extent it is technically feasible; encryption is required for all transmitted records and files containing personal information that will travel across public networks. Likewise, encryption is required of all such data transmitted wirelessly.

(4) Businesses must reasonably monitor their computer systems for unauthorized use of or access to personal information.

(5) Encryption of all personal information stored on laptops or other portable devices is also required.

(6) If a computer system is connected to the Internet, files containing personal information must be protected by a firewall and operating system security patches.

(7) Up-to-date security agent software must be included in a business’ computer system. Such security software must include malware protection and reasonably up-to-date patches and virus definitions. The software must be enabled to receive the most current security updates on a regular basis.

(8) Employees must receive education and training on the proper use of the computer security system and the importance of maintaining the security of personal information. The regulations do not specify the content of such training; nor do they establish goals related to frequency of such training sessions.

IV. Reporting Obligations
Any business that maintains or stores personal information, but does not own or license the data, must provide electronic or written notice as soon as practicable of any breach of security or unauthorized acquisition or use of such data to its owner or licensor.

In addition, such business must “cooperate” with the owner or licensor by informing the owner or licensor of the date, or approximate date, of the incident and the nature of the incident plus any steps taken (or planned to be taken) relating to the incident.

After receiving the aforementioned notice or independently learning of a breach of security or unauthorized use of data containing personal information, the owner or licensor must provide notice (electronic or written) to the Attorney General, and the Director of Consumer Affairs and Business Regulation. This notice must include the nature of the incident, the number of residents of Massachusetts affected by the incident and any steps taken or planned to be taken relating to the incident.

Upon receipt of the aforementioned notice, the Director of Consumer Affairs and
Business Regulation must identify any relevant consumer reporting agency or state agency and forward its name or names to the notifying business. When provided with these agencies’ names, the notifying business must also provide the above-referenced information to these agencies.

In addition to the above notification requirements, notice must also be provided by the data’s owner/licensor to the resident whose personal information was compromised. This notice must include the following information:

1. The consumer’s right to obtain a police report;
2. Information as to how a consumer requests a security freeze; and
3. Any fees required to be paid to any of the consumer reporting agencies.

Unlike the notification to the Attorney General and Director of Consumer Affairs and Business Regulation, the law specifically states that the notice to the subject resident cannot include the nature of the incident or the number of residents of Massachusetts affected by the incident.

All of the above-cited notices may be delayed if such notice would impede a criminal investigation until such time as notification no longer poses a risk to that investigation.

V. Other State and Federal Laws
M.G.L. c. 93H does not pre-empt any other federal or state law regarding the protection of personal information. Any business, however, that is required by federal law/regulation to maintain procedures for responding to a security breach is deemed to be in compliance with 93H if the business notifies the Attorney General and Director of Consumer Affairs of the breach as soon as possible after the incident. Such notice must include any steps taken by the business (or planned to be taken) pursuant to the applicable federal law, rule, regulation, guidance or guidelines. Failure to follow such federal requirements will subject the business to the full extent of all the requirements set forth in M.G.L. c. 93H.

VI. Enforcement
Enforcement of this law has been assigned to the Massachusetts Attorney General who may pursue remedies pursuant to M.G.L. c. 93A, the Commonwealth’s Consumer Protection Statute. Under this law, the Attorney General may pursue injunctive or other equitable relief in the applicable Superior Court. In addition, each violation of the law is Skoler, Abbott & Presser, P.C.

Exclusively Representing Management in Labor and Employment Law punishable by a civil fine of up to $5,000.00 plus reasonable costs of investigation and litigation and reasonable attorneys’ fees.