New Data Security Regulations to Take Effect in Massachusetts on March 1st, 2010

Posted on February 25, 2010 by Kevin Whitaker

The scramble in on as companies seek to comply with the identity theft regulations adopted in Massachusetts and touted as 'the first of their kind in the country' which are scheduled to take effect on March 1, 2010.

The effective date’s announcement followed a report indicating there have been over one million instances of Massachusetts residents’ personal information being exposed in two years. “We hope these regulations will make it harder for information to get into the wrong hands, and lower the number of instances of data being lost or stolen,” said Barbara Anthony, the Undersecretary of the Office of Consumer Affairs and Business Regulation (OCABR).

While M.G.L. c. 93H was passed in 2007, controversy emerged over how to pursue some of the law’s objectives under the regulations. After repeated postponements and revisions—brought upon largely by changes in the economic climate as well as compliance concerns of businesses— the regulations are now set to take effect on March 1st.

“We heard testimony from a wide range of sources, and the message was that we have struck the right balance. We created regulations that are protective of consumers without being onerous to businesses,” Undersecretary Anthony said.

The regulations, known as 201 CMR 17 (PDF file), are designed to help preserve privacy by increasing the level of security on personal information. These regulations apply to those that own or license “personal information” about a Massachusetts resident. Personal information includes a resident’s first name and last name (or first initial and last name) in combination with their: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, that would permit access to a resident’s financial account.

The regulations require businesses take a risk-based approach and develop, implement, and maintain a written comprehensive information security program containing administrative, technical, and physical safeguards appropriate to the size, scope, and type of business. The written security plan takes into account the amount of resources available; the amount of stored data; and the need for security and confidentiality of both consumer and employee information. Further, the written security plan also requires a comprehensive security system be included which covers computers with access to the stored personal information (including any wireless system.)

The regulations set minimum requirements to the extent they are technologically feasible. For instance, encryption of personal information is required for: a) transmitted records and files that will travel across public networks, b) data transmitted wirelessly, and c) information stored on laptops or other portable devices. Further, the security system requirements for computers require other protocols be adopted and followed (e.g. passwords, training, restrictive and monitoring efforts, as well as firewall, malware, and other updated protections.)

In examining reported data breach incidents, OCABR found that less than 3% involved data that was encrypted when breached. In addition, they found 60% of the reported incidents were the result of criminal/unauthorized acts, with a high frequency of laptops or hard-drives being stolen, and that roughly 40% of the total incidents were the result of “employee error or sloppy internal handling of personal information or other data.”

The OCABR report adds, “[t]his confirms that any regulatory regime must include both measures that protect against intentional wrongdoing and measures that focus on establishing internal protocols that set minimum standards for handling sensitive paper and electronic records.” These concerns, and others, lie at the foundation of the adopted regulations.

In sum, the new regulations seek to balance consumer protections with business concerns. Business owners should review the regulations fully as the requirements are comprehensive and may require time and effort to comply with. In addition, there are also extended deadlines and requirements for businesses that contract with third parties. To learn more about identity theft protection, visit the Office of Consumer Affairs and Business Regulation website at www.mass.gov/consumer.
Tags: , , , , , , , , ,

An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part 5 of 5

Posted on August 5, 2009 by Kevin Whitaker

Massachusetts Senate Bill No. 173 (PDF file or see full text below) introduced this year, would amend M.G.L. 93H and effectively water down the Office of Consumer Affairs and Business Regulation's (OCABR) authority on a few fronts. I've addressed a few of these in past posts.

After a short vacation, today I'll briefly be addressing the fourth proposed change, but more importantly the sum of all the proposed changes, because I fear they fail to protect consumers and their privacy rights, but instead seem very good at protecting certain business interest aided by powerful lobbying efforts

Briefly, under the fourth proposed change, employees could be terminated for willful violations of the law, regulations, or written information security plans.

While I'm not going to attack this language (although you can see the proverbial passing of the buck coming here), it make me ask, "As a group, did any of the four proposed changes help consumers while guarding individuals' privacy rights?"

Let's review a summary of the three changes I've previously discussed:

  1. Businesses would not have to comply with any Massachusetts state regulations with stricter standards than federal law
  2. Ensures OCABR is prevented from requiring specific technology or methods be employed. Thus, the proposed amendment effectively guts OCABR's encryption requirement (and its power to do so in regulations).
  3. The law would not apply evenly, but would depend on the size of the business and require separate standards be promulgated for small businesses, thus implying a person's privacy rights matter less depending on who is allowing them to be infringed upon. This would also add more delay as more layers of regulations are adopted.

The answer to my earlier question, I'm afraid, is a resounding "No," none of the four four proposed changes help consumers while guarding individuals' privacy rights--thus the title of this series of posts, "An Act Ensuring Less Privacy of Massachusetts Resident's Data" which is a play on the proposed act's title "An Act Ensuring the Privacy of Certain Data."

As stated in other posts, privacy rights simply aren't being treated as rights held by individuals but rather as things or issues to be regulated. With economic considerations, lobbying, and political influence guiding the outcome, it appears that short-term economic arguments may continue trumping individuals' privacy concerns. In the end, so long as economic incentives and business interests are placed before individuals' rights, then privacy rights can't really exist, no matter what we call or title them.

The full text of Senate Bill 173, An Act Ensuring the Privacy of Certain Data, is below. Funny, I don't think this is available anywhere else on the web except in PDF. Why is that?

 

SECTION 1. Section 2 of Chapter 93H of the General 1 Laws, as appearing in the 2006 Official Edition, is hereby amended by striking out subsection (a) and inserting in place thereof the following:(a) The department of consumer affairs and business regulation may adopt regulations relative to any person or agency that owns or licenses personal information about a resident of the commonwealth. Such regulations shall be designed to safeguard the personal information of residents of the commonwealth and shall be consistent with the safeguards for protection of personal information set forth in the federal regulations by which the person or agency is regulated. The objectives of the regulations shall be to: insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer. The department shall not in its regulations, however, require covered persons to use a specific technology or technologies, or a specific method or methods for protecting personal information.

The regulations shall take into account the person’s size, scope and type 15 of business, the amount of resources available to such person, the amount of stored data, and the need for security and confidentiality of both consumer and employee information. Notwithstanding the rules adopted by the department pursuant to the provisions above, said department shall create separate regulations for small businesses covered by this chapter that reflect said small businesses unique situation and resources.

Any person who is required to comply with federal laws, rules, regulations, guidance, or guidelines safeguarding personal information is deemed to be in compliance with this chapter.

SECTION 2. Section 6 of Chapter 93H of the General Laws is hereby amended by adding at the end thereof the following: A willful violation of this chapter or regulations implementing this chapter, or a written information security plan issued by a person covered by state or federal privacy laws shall provide just cause for the termination of an employee, whether the employee is employed by a private person, public agency or political subdivision of the state.

 

For more posts from this Series see:

If you are interested in tracking Senate Bill 173 or others, perhaps this resource from the University of Iowa law library may be helpful. Here are a few of the helpful offerings or resources available there.
Tags: , , , , , , ,