You are on page 1of 6

This may be considered advertising under Mass. R. Prof. C. Rule 7.

3(c)

WhitePaper
March 2010

Data Security Law and Regulations Have Sweeping


Implications For Massachusetts Businesses
Massachusetts’ Data Security Breach in response to Chapter 93H’s edict. Unlike the
Notification Law, Chapter 93H Commonwealth’s approach to the statute itself,

O
n October 31, 2007, Massachusetts intro- however, the regulations represent a substantial
duced a law requiring notification of departure from what has come before, and they
individuals victimized by data security impose potentially significant requirements that
breaches. The statute, Chapter 93H of the Mas- in many ways surpass what is required elsewhere
sachusetts General Laws, is one of 46 such laws in in the country. These regulations, which may be
the United States, and its terms are largely consis- found at 201 Code of Massachusetts Regulations
tent with other states’ laws. (CMR) 17, went into effect on March 1, 2010.

Chapter 93H generally requires an individual, At their core, the new regulations call for any per-
business or governmental agency with “personal son (which includes corporations and partner-
information” relating to a state resident to pro- ships, but not government bodies) that “owns [],
vide notice in the event of a data security breach. licenses, receives, maintains, processes, or other-
wise has access to personal information” about
“Personal information” is defined as the name of a Massachusetts resident to develop and imple-
a Massachusetts resident in combination with her ment a written comprehensive “information secu-
Social Security number; driver’s license or state rity plan.” This ominous-sounding “information
ID number; financial account number; credit card security plan” requirement is not merely an amor-
number or debit card number. Basically, notifica- phous obligation to be proactive in the care and
tion is required when personal information (either maintenance of personal data. The regulations
in unencrypted form, or in encrypted form with its provide an extensive (though not exhaustive) list
key) has been used for an unauthorized purpose, of items that must be included in it. They provide
or has been acquired by an unauthorized person. that the manner in which these items are imple-
mented is dependent upon the following factors:
The statute also calls for the implementation of
regulations for the purpose of protecting the • the size, scope and type of business involved;
security, confidentiality and integrity of Massa-
• the resources available to it;
chusetts residents’ personal information.
• the amount of stored data;
New Regulations To Protect
Personal Information • the need for security and confidentiality.

T
he Massachusetts Department of Con- In the abstract, this makes sense. But, as is evi-
sumer Affairs and Business Regulations dent from the detailed standards imposed for
issued draft regulations in October 2008 such information security plans, even the smallest

© 2010 Gesmer Updegrove LLP. All rights Reserved. www.gesmer.com 40 Broad Street, Boston, MA 02109 617.350.6800
businesses may shoulder a considerable load in safe- whether through training or otherwise. Training
guarding personal data. Those who believe that they programs should be formalized, and records kept
can safely ignore the regulatory regimen because to evidence full participation of the workforce.
only a modest amount of personal data is at issue, or
because few employees are available to specifically c. Off-premises access. The information security
focus on this new mandate, do so at great risk. plan must include policies for addressing the
storage, access and transportation of personal
Those minimum requirements for an information information “outside of business premises.” In
security plan are broken down into two main catego- general, the best approach here is to prohibit all
ries: requirements applicable to personal information but specified classes of employees from access-
generally, and requirements applicable to personal ing or transporting personal information from
information in electronic form. the field. Those with particularized needs should
be allowed such access only to the extent neces-
General Information Security
Program Requirements sary for them to perform a necessary job function.

A
Covered records (whether in paper or electronic
ll information security plans must include the form) should be physically kept with and by the
following: employee, locked in a secure cabinet or room, or
a. Designated employee. The plan must des- maintained electronically in an encrypted form.
ignate one or more employees to maintain and In the telecommuting context, companies should
implement it. We recommend that a single indi- give thought to VPN, SSH, Citrix or other technol-
vidual be designated, although multiple persons ogies that secure electronic access between on-
may well be tasked with responsibilities relating site and off-site computing devices. While these
to its implementation. Note that the requirement measures may impose added cost or complexity,
is not purely a technical one; smaller organizations permitting unencrypted transmission of personal
may want to think twice before simply assigning information data over the Internet is problematic,
this to the person with the most technical exper- and at odds with the regimen mandated by the
tise. The role is, at its core, a policy creation and Commonwealth.
implementation one, and effectively requires
d. Disciplinary measures. The program must pro-
even the most modest organizations to create a
vide that employees are subject to disciplinary
position resembling a Chief Privacy Officer.
measures for violations of the plan rules. This is
b. Identify risks. The program must identify and intended to ensure that all employees take the
assess “reasonably foreseeable internal and exter- plan seriously, and disciplinary measures should
nal risks to the security, confidentiality, and/or be consistent with that goal. The manner in which
integrity of…personal information.” In addition this is incorporated into the information security
it must provide for evaluating and improving the program should allow for significant flexibility,
effectiveness of those efforts. This section must however, in terms of the specific actions that will
involve employee training, as well as methods of be taken in the event of violations.
detecting and preventing security system failures.
e. Terminated employees. Terminated employ-
While the threat analysis will vary widely from one
ees must be prevented from accessing personal
situation to the next, the regulations give insight
information. This is generally self-explanatory.
to what the government expects in the mitigation
Care must be taken in those situations where an
of risk. Here, particular attention should be given
employee is separated from employment, but
to how each and every employee (or contractor)
continues to provide transition assistance. Either
will be included in the plan’s implementation,
employment must be extended, or safeguards
2
imposed so that the former employee does not information security designee required by the
have direct access to the personal information at regulations.
issue.
j. Addressing data incidents. The plan must pro-
f. Third-party service providers. A two-pronged vide for the documentation of actions taken in
approach is adopted with respect to third-party response to “a breach of security,” along with a
service providers with access to personal infor- post-hoc review to make any necessary changes
mation. First, the business must “take reasonable in business practices. This goes beyond the mere
steps to select and retain...providers capable or notice requirement of Chapter 93H, and is akin to
maintaining appropriate security measures...con- the “morbidity and mortality” reviews undertaken
sistent with the regulations and applicable federal by hospitals to review mistakes that occurred dur-
regulations.” Second, businesses must contrac- ing patient care to prevent a recurrence. Incorpo-
tually require third-party providers to “imple- ration of this requirement into the written infor-
ment appropriate security measures.” (There is, mation security plan may be straightforward, but
however, a grandfather provision for prior con- the more important part here will be ensuring
tracts.) This will often involve contract language that an actual review takes place that demon-
expressly referencing the regulations, but it need strates an understanding of the magnitude of the
not necessarily do so. A review of vendor con- incident. Given that Chapter 93H requires that
tracts is clearly essential. the Commonwealth be informed in the event of
a data security breach, it is reasonable to expect
g. Physical access. It must impose reasonable the Attorney General to inquire into the outcome
restrictions on physical access to records con- of some (or even most) incident reviews. Indeed,
taining personal information. It must specifi- even with respect to events that do not rise to the
cally address the manner in which such access is level of a reportable incident, the conducting of
restricted and require the storage of such data in such a review may be an important way of sub-
locked facilities or containers. stantiating the proactive manner in which data
security issues are addressed within the organi-
h. Monitoring information security program. The
zation. Assuming proactive measures are taken,
information security plan must provide for moni-
such a record of review and response may be very
toring to ensure that it is operating “in a manner
helpful in the event of a subsequent, reportable
reasonably calculated to prevent unauthorized
breach.
access to or unauthorized use of personal informa-
tion.” This is meant to essentially ensure that the Information Security Program
information security plan is more than a binder Requirements Regarding Electronic Data

A
on a shelf, and is actually being implemented in a
ll information security programs must include
manner that ensures that its goals are being met.
the following, to the extent it is “technically
Along with (i) below, this sets out the fundamen-
feasible,” as it relates to electronic personal
tal job requirement for the individual designated
information:
in (a) above.
a. User authentication protocols. With respect to
i. Review of information security program. The electronic personal information, users must be
companion to (h) above, this requires a regu- authenticated through the use of user IDs, pass-
lar review (no less than annually, but as often words or other methods that control their access
as business practices may require) of the pro- to the data. Authentication must involve:
gram to accommodate new and unanticipated
risks. Again, this is a major responsibility of the
3
i. the control of user IDs, so the organization can in place, addressing the issue of unsuccessful
match user IDs with specific individuals. The login attempts will often be relatively straight-
sharing of user IDs among employees should forward, and may be incorporated into the
be prohibited; operating system.

ii. use of passwords, biometric identifiers (such as b. Secure access control measures. Personal infor-
fingerprint technology), or token devices (such mation must be restricted to individuals on a
as “rolling” RSA SecurID tokens). With respect “need to know” basis, and must use unique user
to passwords, measures should be taken to IDs and passwords to implement such restric-
ensure that passwords are difficult to guess tions. Software vendor “default” passwords may
(i.e., not words in dictionary; they incorporate not be used. Again, this general approach is stan-
letters, numbers and symbols; they meet min- dard in the industry for enterprise-wide systems,
imum length requirements, etc.). Additionally, but will represent a departure for organizations
policies should require the occasional updat- that still rely on individual PCs, thumb drives, and
ing of passwords. “sneaker net” to share information. Gone are the
days when a list of customer names and credit
iii. control of password data, to ensure that pass-
card numbers could be passed from employee to
words are encrypted or stored in a secure
manner. Most modern password manage- employee on a CD-ROM or flash drive, apparently
ment systems and software operating sys- even if such information is encrypted.
tems store passwords in an encrypted format,
c. Encryption of transmitted records. Personal
so this should not impose an undue burden
information that travels wirelessly or across public
on most organizations.
networks (e.g., the Internet) should be encrypted.
iv. restricting access to active users on active The language of this section suggests that the
accounts. In other words, access to personal encryption requirement as it relates to public
information should be solely through use of networks is only imposed “to the extent techni-
user-based password-controlled log ins. For cally feasible,” which the encryption requirement
large organizations, in which all employees as it relates to wireless transmission applies to “all
must “log in” to gain access to the corporate data.” The wireless component of the require-
computer system, this may not present a break ment will be manifest largely in connection with
in current practice. For smaller organizations Wi-Fi networks, which should always be password
– for example, those that maintain customer protected in any business environment. WEP
credit card information on free-standing data- encryption should not be used on Wi-Fi networks,
bases accessible from outside a corporate net- as it is very insecure, and has led to a number of
work log in – this will require a new approach. data breach incidents. Other wireless technolo-
It appears that merely password protecting gies (Bluetooth, WiMax, etc.) have their own secu-
individual data files themselves may be an rity and usage issues, which should be addressed
inadequate approach going forward. separately. For example, Bluetooth may use less
secure encryption algorithms than the Wi-Fi WPA
v. blocking access after multiple incorrect login
standard, but it is viable over much shorter dis-
attempts. Again, for some organizations, exist-
tances and is less likely to be used in the transmis-
ing software and data systems may already
sion of personal information, so the inquiry will
block access after multiple unsuccessful login
attempts. The larger issue for some (small) differ when compared to Wi-Fi. Regarding trans-
organizations may be implementing a user- mission over the Internet, a number of protocols
based access system. Once such a system is and techniques can protect login sessions, and
you should consult with an IT professional to find
4
the one most compatible with your organization’s decrypted automatically by the computer (either
resources and needs. Businesses must be aware through hardware or software). While this may
that sending unencrypted information over the impose a greater expense than simply encrypt-
Internet (whether by email, through a web site or ing individual files or directories, the more com-
otherwise) is the equivalent of sending a postcard prehensive approach avoids the scenario in which
– the confidentiality of the content is dependant the employee stores frequently used personal
solely on the assumption that no one will choose information in an unsecure manner for conve-
to read it before it reaches its destination. Such nience or speed of access. Note that merely
an approach is wholly incompatible with the regi- using a Windows-based login does not meet this
men being imposed in the new regulations. requirement; such security can be easily bypassed
by removing the hard drive from the laptop and
d. Monitoring of systems. The information security mounting it on a separate computer. The data is
plan must provide for the “reasonable monitoring not encrypted, and it can be easily read.
of systems, for unauthorized use of or access to
personal information.” Consult an IT professional f. Security patches and firewall protection. The
for information about how to best to implement information security program must provide for
this in your situation. “reasonably up-to-date firewall protection and
operating system security patches.” Note that
e. Laptop encryption. The regulations require that implementation of security patches is often inten-
personal information stored on laptops or other tionally delayed by IT departments to permit test-
portable devices be encrypted. This has gotten ing for compatibility with legacy systems. It is
significant attention, and appears to be an overly not clear what an organization’s responsibilities
broad approach to the problem of data security. are when a particular security patch would cause
For example, there is no exception in the regula- problems with a live system. In general, IT depart-
tions for laptops that are maintained on prem- ments should closely monitor vendor sites for
ises in a secure manner. Rather, the language security glitches and patches, in that this aspect
appears directed to all portable devices (includ- of the regulations seems to shift responsibility for
ing all laptops), regardless of location or use, as insecure operating system software to the user, to
long as they contain personal information. Some the extent patches are available.
organizations will simply elect not to permit per-
sonal information to travel by laptop, or migrate g. Anti-virus software. The regulations require
to employees Blackberries or similar devices. software that offers “malware protection,” and
That may be the least expensive and most tech- use up-to-date virus definitions. Just as a weed
nically secure approach. Because the definition is simply an undesirable plant, malware is essen-
of personal information is rather narrow, such an tially no more than an undesirable piece of soft-
approach may impose fewer hardships for many ware. The term is not well-defined. While we all
organizations than first feared, since many or most have a general understanding of what anti-virus
laptops may be immune from the restrictions. and anti-spyware programs are intended to do, it
But, for those organizations with a need to travel is unclear whether lesser known and less robust
in the field with such information, care must be products will be considered sufficient to meet the
taken to properly equip such laptops (and other requirement of this paragraph. Moreover, users
mobile devices at issue) with systems to meet of Apple Macintosh and Linux products are often
the encryption requirement. The best approach accustomed to running without separate anti-
for laptops is drive-level encryption, whereby virus software, since very few viruses affect those
everything on the hard drive is encrypted and

5
computers. It is yet to be seen how broadly this incorporated in Massachusetts. Other corporations
requirement will be interpreted. doing business with Massachusetts residents may
well be subject to the regulatory regimen, although
h. Education and training. “Education and training the scope has yet to be tested in court.
of employees on the proper use of the computer
security system and the importance of personal It is not yet clear how the Commonwealth will
information security.” This dovetails with (b) in approach enforcement initially, although in similar
the general section, which requires employee circumstances (including the passage of Chapter 93H
training generally. itself), government officials have expressed a willing-
ness to become increasingly stringent about enforce-
Who Must Comply and When? ment with the passage of time. Businesses that miss

T
he regulations went into effect on March 1, the deadline or otherwise fall short of the standard
2010. They generally apply to any non-gov- set by the regulations will run a considerable and
ernmental entity that maintains any “personal steadily increasing risk.
information” at all. Virtually all Massachusetts busi-
Further, while neither the regulations nor Chapter
nesses will fall under its scope, if only because they
93H provide for a private right of action, the stan-
maintain such information about their own employ-
dards they establish may well become a relevant
ees. Moreover, the regulations do not expressly
benchmark in future civil cases.
limit their application to businesses operating or

About Gesmer Updegrove LLP

Gesmer Updegrove is New England’s premier law firm for technology companies and emerging businesses.
Its mission is to be the trusted advisor to clients, providing quality legal services, outstanding business advice
and value-added services. The firm works side by side with entrepreneurs, investors, executives and their busi-
nesses to bring the resources necessary to grow their companies - all while ensuring that their companies are
legally protected.

About ColoSpace, Inc.

ColoSpace is a leading provider of Application Hosting, Colocation, and Disaster recovery services in New Eng-
land. Headquartered in Rockland, Massachusetts, ColoSpace operates a network of 6 Internet Data Centers
(IDCs) throughout the region. From these IDCs, ColoSpace deploys high availability services to firms located
throughout the world. ColoSpace’s customers include some of the largest firms in the Financial Services, Health-
care, and High Technology industries. Founded in 2001, ColoSpace is led by a team of industry veterans and has
followed a path of exceptional growth and continuous profitability.

The information provided herein is for informational purposes only, for clients and friends of Gesmer Updegrove LLP. It is provided
“as is,” and the firm makes no representation as to the completeness or accuracy of its content. It does not constitute legal advice.
Before making any legal decisions regarding the matters discussed in this white paper, you should consult with a qualified legal
professional, who can provide advice tailored to your individual situation. This document does not create an attorney-client
relationship between you and Gesmer Updegrove LLP or any of its attorneys. ©2009 Gesmer Updegrove LLP. All rights reserved.