You are on page 1of 7

November 2008 a

e-paper
New Data Security Regulations Have Sweeping
Implications For Massachusetts Businesses
Massachusetts’ Data Security Breach approach to the statute itself, however, the regu-
Notification Law, Chapter 93H lations represent a substantial departure from

O
what has come before, and they impose poten-
ctober 31, 2008 marked the one-year anni-
tially significant requirements that in many ways
versary of the Massachusetts law requir-
surpass what is required elsewhere in the coun-
ing notification of individuals victimized
try. These regulations, which may be found at 201
by data security breaches. The statute, Chapter
Code of Massachusetts Regulations (CMR) 17, are
93H of the Massachusetts General Laws, is one of
presently scheduled to become effective on Janu-
46 such laws in the United
ary 1, 2009.
States, and its terms are
largely consistent with [T]he regulations represent At their core, the new
other states’ laws. a substantial departure from regulations call for any
what has come before, and person (which includes
Chapter 93H generally
corporations and part-
requires an individual, they impose potentially sig- nerships, but not govern-
business or governmen-
tal agency with “personal
nificant requirements that ment bodies) who “owns,
in many ways surpass what licenses, stores, or main-
information” relating to a
tains personal informa-
state resident to provide is required elsewhere in the tion” about a Massachu-
notice in the event of a
data security breach.
country. setts resident to develop
and implement a writ-
“Personal information” is ten “comprehensive data
defined as the name of a Massachusetts resident security program.” This ominous-sounding “infor-
in combination with her Social Security num- mation security program” requirement is not
ber; driver’s license or state ID number; financial merely an amorphous obligation to be proactive
account number; credit card number or debit card in the care and maintenance of
number. Basically, notification is required when personal data. The regulations Table of Contents
personal information (either in unencrypted provide an extensive (though
form, or in encrypted form with its key) has been not exhaustive) list of items About the
used for an unauthorized purpose, or has been that must be included in the Massachusetts Law
acquired by an unauthorized person. program. They provide that the
manner in which these items About the New
The statute also calls for the implementation of are implemented is dependent Regulations
regulations for the purpose of protecting the upon the following factors: Requirements That
security, confidentiality and integrity of Massa-
• the size, scope and type Apply to All Personal
chusetts residents’ personal information.
of business involved; Information
New Regulations To Protect
• the resources available to it; Requirements That
Personal Information
Apply To Electronic

T
he Massachusetts Department of Con- • the amount of stored data; Records Only
sumer Affairs and Business Regulations
recently issued regulations in response to • the need for security Effective Date and
Chapter 93H’s edict. Unlike the Commonwealth’s and confidentiality. Scope

1
40 Broad Street, Boston, MA 02109 • 617.350.6800 •Gesmer.com
In the abstract, this makes sense. But, as is evident
efforts. This section must involve employee
from the detailed standards imposed for such training, as well as methods of detecting and
information security programs, even the smallest preventing security system failures. While the
businesses must shoulder a considerable load in threat analysis will vary widely from one situa-
safeguarding personal data. Those who believe tion to the next, the regulations give insight to
that they can safely ignore the regulatory regimen what the government expects in the mitiga-
because only a modest amount of personal data tion of risk. Here, particular attention should
is at issue, or because few employees are availablebe given to how each and every employee (or
to specifically focus on this new mandate, do so atcontractor) will be included in the program’s
great risk. implementation, whether through training or
otherwise. Training pro-
Those minimum require- grams should be formal-
ments for an information [T]hose who believe that ized, and records kept to
security program are bro- they can safely ignore the evidence full participation
ken down into two main
regulatory regimen because of the workforce.
categories: requirements
applicable to personal only a modest amount of c. Off-premises
information generally, personal data is at issue...do access. The informa-
and requirements appli- tion security program
so at great risk.
cable to personal informa- must include policies for
tion in electronic form. addressing whether and
how employees are permitted to use personal
General Information Security information “outside of business premises.” In
Program Requirements
general, the best approach here is to prohibit

A
ll information security programs must all but specified classes of employees from
include the following: accessing or transporting personal informa-
tion from the field. Those with particularized
a. Designated employee. The program must needs should be allowed such access only to
designate one or more employees to maintain the extent necessary for them to perform a
the information security program. We recom- necessary job function. Such records (whether
mend that a single individual be designated, in paper or electronic form) should be physi-
although multiple persons may well be tasked cally kept with and by the employee, locked in
with responsibilities relating to its imple- a secure cabinet or room, or maintained elec-
mentation. Note that the requirement is not tronically in an encrypted form. In the tele-
purely a technical one; smaller organizations commuting context, companies should give
may want to think twice before simply assign- thought to VPN, Citrix or other technologies
ing this to the person with the most techni- that secure electronic access between on-site
cal expertise. The role is, at its core, a policy and off-site computing devices. While these
creation and implementation one, and effec- measures impose an added cost, providing
tively requires even the most modest organi- unencrypted transmission of personal infor-
zations to create a position resembling a Chief mation data over the Internet is problematic,
Privacy Officer. and at odds with the regiment mandated by
the state.
b. Identify risks. The program must identify
and assess “reasonably foreseeable internal d. Disciplinary measures. The program must
and external risks to the security, confidenti- provide that employees are subject to dis-
ality, and/or integrity of…personal informa- ciplinary measures for violations of the pro-
tion.” In addition it must provide for evaluat- gram rules. This is intended to ensure that
ing and improving the effectiveness of those all employees take the policy seriously, and

2
disciplinary measures should be consistent information collected; (b) the length of time
with that goal. The manner in which this is such information is kept; and (c) persons per-
incorporated into the information security mitted to access such information. Informa-
program should allow for significant flexibil- tion may only be kept to the extent necessary
ity, however, in terms of the specific actions to accomplish its “legitimate purpose” or com-
that will be taken in the event of violation. ply with applicable governmental require-
ments. While this concept is understandable
e. Terminated employees. Terminated employ- in the abstract, implementation may well
ees must be prevented from accessing per- prove tricky. For example, in completing a
sonal information “by immediately terminat- retail transaction, may the retailer collect per-
ing their physical and electronic access to such sonal information for a legitimate but unre-
records.” This is generally self-explanatory. lated purpose? Is access by an employee for
Care must be taken in those situations where legitimate purposes unrelated to the ratio-
an employee is separated from employment, nale for the collection of the data permit-
but continues to provide transition assistance. ted? Given the somewhat restricted defini-
Either employment must be extended, or safe- tion of “personal information,” however, the
guards imposed so that the former employee most common question may be the extent
does not have direct to which persons may be
access to the personal permitted to retain credit
information at issue. [C]omplicated scenarios may and debit card numbers
arise in connection...with of customers. “Indefi-
f. Third-party service nitely” does not appear to
providers. Businesses out-of-state service provid- be an acceptable answer
must verify that ser- ers that have not yet assem- any longer.
vice providers “have
the capacity to pro- bled their own written infor- h. Identifying per-
tect…personal infor- mation security programs sonal information
mation.” This involves records. The written
inserting appropriate information security pro-
language into vendor agreements which (a) gram must provide for a method of identify-
obligate the service provider to appropriately ing records and devices used to store personal
safeguard the information; and (b) maintain information (unless all records are treated
its own written information security program. as personal information). Carefully imple-
While such requirements will become part mented systems used to segregate personal
of the standard boilerplate, complicated sce- information address this require-
narios may arise in connection with existing ment. This may well require
long-term contracts that lack such terms, and a reworking of databases
with out-of-state service providers that have and other established
not yet assembled their own written infor- data processes, however,
mation security programs. These must be and must be carefully
approached on a case-by-case basis, and the considered on a pro-
relative bargaining power of the parties may cess-by-process basis.
well dictate the relative risk that the parties
will ultimately bear here. A review of vendor i. Physical access. It
contracts is essential, and should be under- must impose reason-
taken by all businesses. able restrictions on
physical access to
g. Limited access. The information security pro- records containing
gram must limit (a) the amount of personal personal information.

3
It must specifically address the manner in demonstrates an understanding of the mag-
which such access is restricted and require nitude of the incident. Given that Chapter
the storage of such data in locked facilities or 93H requires that the state be informed in the
containers. event of a data security breach, it is reason-
able to expect the Attorney General to inquire
j. Monitoring information security program. into the outcome of some (or even most)
The information security program must pro- incident reviews. Indeed, even with respect
vide for monitoring to ensure that it is oper- to events that do not rise to the level of a
ating “in a manner reasonably calculated to reportable incident, the conducting of such a
prevent unauthorized review may be an impor-
access to or unauthor- tant way of substantiating
ized use of personal This is meant to essentially the proactive manner in
information.” This is ensure that the information which data security issues
meant to essentially security plan is more than a are addressed within the
ensure that the infor- organization. Assum-
mation security plan is binder on a shelf, but is actu- ing proactive measures
more than a binder on ally being implemented in a are taken, such a record
a shelf, but is actually manner that ensures that its of review and response
being implemented may be very helpful in the
in a manner that goals are being met. event of a subsequent,
ensures that its goals reportable breach.
are being met. Along
with (k) below, this sets out the fundamental Information Security Program
job requirement for the individual designated Requirements Regarding
in (a) above. Electronic Data

A
ll information security programs must
k. Review of information security program.
include the following, as it relates to elec-
The companion to (j) above, this requires a
tronic personal information:
regular review (no less than annually, but as
often as business practices may require) of the a. User authentication protocols. With respect
program to accommodate new and unantici- to electronic personal information, users must
pated risks. Again, this is a major responsibility be authenticated through the use of user IDs,
of the information security designee required passwords or other methods that control
by the regulations. their access to the data. Authentication must
involve:
l. Addressing data incidents. The program
must provide for the documentation of i. the control of user IDs, so the organiza-
actions taken in response to “a breach of secu- tion can match user IDs with specific indi-
rity,” along with a post-hoc review to make any viduals. The sharing of user IDs among
necessary changes in business practices. This employees should be prohibited;
goes beyond the mere notice requirement of
Chapter 93H, and is akin to the “morbidity and ii. use of passwords, biometric identifi-
mortality” reviews undertaken by hospitals to ers (such as fingerprint technology), or
review mistakes that occurred during patient token devices (such as “rolling” RSA Secu-
care to prevent a recurrence. Incorporation of rID tokens). With respect to passwords,
this requirement into the written information measures should be taken to ensure that
security program may be straightforward, but passwords are difficult to guess (i.e., not
the more important part here will be ensur- words in dictionary; they incorporate let-
ing that an actual review takes place that ters, numbers and symbols; they meet

4
minimum length requirements, etc.). Addi- b. Secure access control measures. Personal
tionally, thought should be given to forc- information must be restricted to individu-
ing the occasional updating of passwords. als on a “need to know” basis, and must use
unique user IDs and passwords to implement
iii. control of password data, to ensure that such restrictions. Software vendor “default”
passwords are encrypted or stored in passwords may not be used. Again, this gen-
a secure manner. Most modern pass- eral approach is standard in the industry for
word management systems and soft- enterprise-wide systems, but will represent a
ware operating systems store passwords departure for organizations that still rely on
in an encrypted format, so this should individual PCs, thumb drives, and “sneaker
not impose an undue burden on most net” to share information. Gone are the days
organizations. when a list of customer names and credit card
numbers could be passed from employee to
iv. restricting access to active users on active employee on a CD-ROM or flash drive, appar-
accounts. In other words, access to per- ently even if such information is encrypted.
sonal information should be solely
through use of user-based password-con- c. Encryption of transmitted records. Per-
trolled log ins. For large organizations, in sonal information that travels wirelessly or
which all employ- across public networks
ees must “log in” (e.g., the Internet) should
to gain access It appears that merely pass- be encrypted. The lan-
to the corporate word protecting individual guage of this section sug-
computer system, gests that the encryption
this may not pres-
data files ... may be an inad-
requirement as it relates
ent a break in cur- equate approach going to public networks is only
rent practice. For forward. imposed “to the extent
smaller organiza- technically feasible,”
tions – for exam- which the encryption
ple, those that maintain customer credit requirement as it relates to wireless transmis-
card information on free-standing data- sion applies to “all data.” The wireless com-
bases accessible from outside a corporate ponent of the requirement will be manifest
network log in – this will require a new largely in connection with Wi-Fi networks,
approach. It appears that merely password which should always be password protected
protecting individual data files themselves in any business environment. WEP encryption
may be an inadequate approach going should not be used on Wi-Fi networks, as it is
forward. very insecure, and has led to a number of data
breach incidents. Other wireless technolo-
v. blocking access after multiple incorrect login gies (Bluetooth, WiMax, etc.) have their own
attempts. Again, for some organizations, security and usage issues, which should be
existing software and data systems may addressed separately. For example, Bluetooth
already block access after multiple unsuc- may use less secure encryption algorithms
cessful login attempts. The larger issue than the Wi-Fi WPA standard, but it is viable
for some (small) organizations may be over much shorter distances and is less likely
implementing a user-based access system. to be used in the transmission of personal
Once such a system is in place, addressing information, so the inquiry will differ when
the issue of unsuccessful login attempts compared to Wi-Fi. Regarding transmission
will often be relatively straightforward, over the Internet, a number of protocols and
and may be incorporated into the operat- techniques can protect login sessions, and you
ing system. should consult with an IT professional to find

5
the one most compatible with your organiza- to travel by laptop, or migrate to employees
tion’s resources and needs. Businesses must Blackberries or similar devices. That may be
be aware that sending unencrypted infor- the least expensive and most technically
mation over the Internet (whether by email, secure approach. Because the definition of
through a web site or otherwise) is the equiva- personal information is rather narrow, such
lent of sending a postcard – the confidential- an approach may impose fewer hardships for
ity of the content is dependant solely on the many organizations than first feared, since
assumption that no one will choose to read many or most laptops may be immune from
it before it reaches its the restrictions. But, for
destination. Such an those organizations with
approach is wholly The regulations require that a need to travel in the
incompatible with personal information stored field with such informa-
the regimen being tion, care must be taken
imposed in the new
on laptops or other porta- to properly equip such
regulations. ble devices be encrypted.... laptops (and other mobile
[F]or those organizations devices at issue) with sys-
d. Monitoring of sys- tems to meet the encryp-
tems. The information with a need to travel in the tion requirement. The
security plan must field with such informa- best approach for lap-
provide for the “rea- tion, care must be taken to tops is drive-level encryp-
sonable monitoring of tion, whereby every-
systems, for unauthor- properly equip such laptops thing on the hard drive is
ized use of or access to (and other mobile devices at encrypted and decrypted
personal information.” issue) with systems to meet automatically by the com-
Consult an IT profes- puter (either through
sion for information the encryption requirement. hardware or software).
about how to best to While this may impose a
implement this in your greater expense than sim-
situation. ply encrypting individual files or directories,
the more comprehensive approach avoids
e. Laptop encryption. The regulations require the scenario in which the employee stores
that personal information stored on laptops or frequently used personal information in an
other portable devices be encrypted. This has unsecure manner for convenience or speed
gotten significant attention, and appears to be of access. Note that merely using a Windows-
an overly broad approach to the problem of based login does not meet this requirement;
data security. For example, there is no excep- such security can be easily bypassed by
tion in the regulations for laptops that are removing the hard drive from the laptop and
maintained on premises in a secure manner. mounting it on a separate computer. The data
Rather, the language appears directed to all is not encrypted, and it can be easily read.
portable devices (including all laptops), regard-
less of location or use, as long as they contain f. Security patches and firewall protection.
personal information. Some organizations The information security program must
will simply elect not to permit personal infor- provide for “reasonably up-to-date firewall
mation protection and operating system security
patches.” Note that implementation of secu-
rity patches is often intentionally delayed
by IT departments to permit testing for
compatibility with legacy systems. It is not
clear what an organization’s responsibilities

6
are when a particular security patch would information” at all. Virtually all Massachusetts
cause problems with a live system. In general, businesses will fall under its scope, if only because
IT departments should closely monitor vendor they maintain such information about their own
sites for security glitches and patches, in that employees. Moreover, the regulations do not
this aspect of the regulations seems to shift expressly limit their application to businesses
responsibility for insecure operating system operating or incorporated in Massachusetts.
software to the user, to the extent patches are Other corporations doing business with Massa-
available. chusetts residents may well be subject to the reg-
ulatory regimen, although the scope has yet to be
g. Anti-virus software. The regulations require tested in court.
software that offers “malware protection,”
and use up-to-date virus definitions. Just as It is not yet clear how the state will approach
a weed is simply an undesirable plant, mal- enforcement initially, although in similar circum-
ware is essentially no stances (including the
more than an undesir- The regulations become passage of Chapter 93H
able piece of software. itself), government offi-
The term is not well-
effective January 1, 2009, cials have expressed a
defined. While we all so there is much work to be willingness to become
have a general under- done. increasingly stringent
standing of what anti- about enforcement with
virus and anti-spyware the passage of time. Busi-
programs are intended to do, it is unclear nesses that miss the deadline or otherwise fall
whether lesser known and less robust prod- short of the standard set by the regulations will
ucts will be considered sufficient to meet the run a considerable and steadily increasing risk.
requirement of this paragraph. Moreover,
Further, while neither the regulations nor Chapter
users of Apple Macintosh products are often
93H provide for a private right of action, the stan-
accustomed to running without separate anti-
dards they establish may well become a relevant
virus software, since very few viruses affect
benchmark in future civil cases.
those computers. It is yet to be seen how
broadly this requirement will be interpreted. Because many of the regulations’ requirements
may require substantial lead time to implement,
h. Education and training. “Education and the smart executive will start thinking about com-
training of employees on the proper use of pliance immediately.
the computer security system and the impor-
tance of personal information security.” This
dovetails with (b) in the general section, which
requires employee training generally. The author, Joseph Laf­errera,
is a partner at the firm of Ges-
Who Must Comply and When? mer Updegrove LLP. He heads

T
he regulations become effective January the employment law and data
1, 2009, and given their extensive require- security practice groups at the
ments, such a deadline is quite aggressive. firm. Any questions regarding
the contents of this paper may
The regulations generally apply to any non-gov- be directed to him at joe.lafer-
ernmental entity that maintains any “personal rera@gesmer.com.

The information provided herein is for informational purposes only, for clients and friends of Gesmer Updegrove LLP. It is pro-
vided “as is,” and the firm makes no representation as to the completeness or accuracy of its content. It does not constitute legal
advice. Before making any legal decisions regarding the matters discussed in this e-paper, you should consult with a qualified
legal professional, who can provide advice tailored to your individual situation. This document does not create an attorney-client
relationship between you and Gesmer Updegrove LLP or any of its attorneys. All rights reserved, ©2008 Gesmer Updegrove LLP.
7