High Quality
Open the downloaded document, and select print from the file menu (PDF reader required).
1
New Data Security Regulations Have SweepingImplications For Massachusetts Businesses
40 Broad Street, Boston, MA 02109 • 617.350.6800 •Gesmer.com
ae-paper
November 2008
Table o Contents
About the
Massachusetts LawAbout the New
Regulations
Massachusetts’ Data Security BreachNotifcation Law, Chapter 93H
O
ctober 31, 2008 marked the one-year anni-versary of the Massachusetts law requir-ing notication of individuals victimizedby data security breaches. The statute, Chapter93H of the Massachusetts General Laws, is one of 46 such laws in the UnitedStates, and its terms arelargely consistent withother states’ laws.Chapter 93H generallyrequires an individual,business or governmen-tal agency with “personalinformation” relating to astate resident to providenotice in the event of adata security breach.“Personal information” isdened as the name of a Massachusetts residentin combination with her Social Security num-ber; driver’s license or state ID number; nancialaccount number; credit card number or debit cardnumber. Basically, notication is required whenpersonal information (either in unencryptedform, or in encrypted form with its key) has beenused for an unauthorized purpose, or has beenacquired by an unauthorized person. The statute also calls for the implementation of regulations for the purpose of protecting thesecurity, condentiality and integrity of Massa-chusetts residents’ personal information.
New Regulations To ProtectPersonal Inormation
T
he Massachusetts Department of Con-sumer Aairs and Business Regulationsrecently issued regulations in response toChapter 93H’s edict. Unlike the Commonwealth’sapproach to the statute itself, however, the regu-lations represent a substantial departure fromwhat has come before, and they impose poten-tially signicant requirements that in many wayssurpass what is required elsewhere in the coun-try. These regulations, which may be found at 201Code of Massachusetts Regulations (CMR) 17
, are
presently scheduled to become eective on Janu-ary 1, 2009.At their core, the newregulations call for anyperson (which includescorporations and part-nerships, but not govern-ment bodies) who “owns,licenses, stores, or main-tains personal informa-tion” about a Massachu-setts resident to developand implement a writ-ten “comprehensive datasecurity program.” This ominous-sounding “infor-mation security program” requirement is notmerely an amorphous obligation to be proactivein the care and maintenance of personal data. The regulationsprovide an extensive (thoughnot exhaustive) list of itemsthat must be included in theprogram. They provide that themanner in which these itemsare implemented is dependentupon the following factors:
•
the size, scope and typeof business involved;
•
the resources available to it;
•
the amount of stored data;
•
the need for securityand condentiality.
[T]he regulations representa substantial departure fromwhat has come before, andthey impose potentially sig-nicant requirements thatin many ways surpass whatis required elsewhere in thecountry.
2
In the abstract, this makes sense. But, as is evidentfrom the detailed standards imposed for suchinformation security programs, even the smallestbusinesses must shoulder a considerable load insafeguarding personal data. Those who believethat they can safely ignore the regulatory regimenbecause only a modest amount of personal datais at issue, or because few employees are availableto specically focus on this new mandate, do so atgreat risk. Those minimum require-ments for an informationsecurity program are bro-ken down into two maincategories: requirementsapplicable to personalinformation generally,and requirements appli-cable to personal informa-tion in electronic form.
General Inormation SecurityProgram Requirements
A
ll information security programs mustinclude the following:a.
Designated employee.
The program mustdesignate one or more employees to maintainthe information security program. We recom-mend that a single individual be designated,although multiple persons may well be taskedwith responsibilities relating to its imple-mentation. Note that the requirement is notpurely a technical one; smaller organizationsmay want to think twice before simply assign-ing this to the person with the most techni-cal expertise. The role is, at its core, a policycreation and implementation one, and eec-tively requires even the most modest organi-zations to create a position resembling a Chief Privacy Ocer.b.
Identiy risks.
The program must identifyand assess “reasonably foreseeable internaland external risks to the security, condenti-ality, and/or integrity of…personal informa-tion.” In addition it must provide for evaluat-ing and improving the eectiveness of thoseeorts. This section must involve employeetraining, as well as methods of detecting andpreventing security system failures. While thethreat analysis will vary widely from one situa-tion to the next, the regulations give insight towhat the government expects in the mitiga-tion of risk. Here, particular attention shouldbe given to how each and every employee (orcontractor) will be included in the program’simplementation, whether through training orotherwise. Training pro-grams should be formal-ized, and records kept toevidence full participationof the workforce.c.
O-premisesaccess
.
The informa-tion security programmust include policies foraddressing whether andhow employees are permitted to use personalinformation “outside of business premises.” Ingeneral, the best approach here is to prohibitall but specied classes of employees fromaccessing or transporting personal informa-tion from the eld. Those with particularizedneeds should be allowed such access only tothe extent necessary for them to perform anecessary job function. Such records (whetherin paper or electronic form) should be physi-cally kept with and by the employee, locked ina secure cabinet or room, or maintained elec-tronically in an encrypted form. In the tele-commuting context, companies should givethought to VPN, Citrix or other technologiesthat secure electronic access between on-siteand o-site computing devices. While thesemeasures impose an added cost, providingunencrypted transmission of personal infor-mation data over the Internet is problematic,and at odds with the regiment mandated bythe state.d.
Disciplinary measures
.
The program mustprovide that employees are subject to dis-ciplinary measures for violations of the pro-gram rules. This is intended to ensure thatall employees take the policy seriously, and
[T]hose who believe thatthey can safely ignore theregulatory regimen becauseonly a modest amount of personal data is at issue...doso at great risk.
3disciplinary measures should be consistentwith that goal. The manner in which this isincorporated into the information securityprogram should allow for signicant exibil-ity, however, in terms of the specic actionsthat will be taken in the event of violation.e.
Terminated employees.
Terminated employ-ees must be prevented from accessing per-sonal information “by immediately terminat-ing their physical and electronic access to suchrecords.” This is generally self-explanatory.Care must be taken in those situations wherean employee is separated from employment,but continues to provide transition assistance.Either employment must be extended, or safe-guards imposed so that the former employeedoes not have directaccess to the personalinformation at issue.f.
Third-party service providers
.
Businesses
must verify that ser-vice providers “havethe capacity to pro-tect…personal infor-mation.” This involves
inserting appropriate
language into vendor agreements which (a)obligate the service provider to appropriatelysafeguard the information; and (b) maintainits own written information security program.While such requirements will become partof the standard boilerplate, complicated sce-narios may arise in connection with existinglong-term contracts that lack such terms, andwith out-of-state service providers that havenot yet assembled their own written infor-mation security programs. These must beapproached on a case-by-case basis, and therelative bargaining power of the parties maywell dictate the relative risk that the partieswill ultimately bear here. A review of vendorcontracts is essential, and should be under-taken by all businesses.g.
Limited access.
The information security pro-gram must limit (a) the amount of personalinformation collected; (b) the length of timesuch information is kept; and (c) persons per-mitted to access such information. Informa-tion may only be kept to the extent necessaryto accomplish its “legitimate purpose” or com-ply with applicable governmental require-ments. While this concept is understandablein the abstract, implementation may wellprove tricky. For example, in completing aretail transaction, may the retailer collect per-sonal information for a legitimate but unre-lated purpose? Is access by an employee forlegitimate purposes unrelated to the ratio-nale for the collection of the data permit-ted? Given the somewhat restricted deni-tion of “personal information,” however, themost common question may be the extentto which persons may bepermitted to retain creditand debit card numbersof customers. “Inde-nitely” does not appear tobe an acceptable answerany longer.h.
Identiying per- sonal inormationrecords
.
The writteninformation security pro-gram must provide for a method of identify-ing records and devices used to store personalinformation (unless
all
records are treatedas personal information). Carefully imple-mented systems used to segregate personalinformation address this require-ment. This may well requirea reworking of databases
and other established
data processes, however,and must be carefullyconsidered on a pro-cess-by-process basis.i.
Physical access.
It
must impose reason-able restrictions onphysical access torecords containingpersonal information.
[C]omplicated scenarios mayarise in connection...without-of-state service provid-ers that have not yet assem-bled their own written infor-mation security programs
Add a Comment