Enforcement of the Massachusetts Data Privacy Law

It’s been almost 18 months since the Massachusetts Data Privacy Law went into effect. Belmont Savings Bank has become one of the first charged with violating the law.

Belmont Savings Bank maintained personal information on an unencrypted backup data tape and then lost the tape. According to surveillance footage the tape was likely discarded inadvertently by the overnight clearing crew and sent to the incinerator.

There were several rounds of changes between the first version of 201 CMR 17.00 and the final one. One central element was the requirement that there be written information security plan in place if your company has “personal information” on a Massachusetts resident. Obviously, you need to comply with the plan.

In this case, Belmont Savings Bank has the plan. But they failed to comply with it. The data tape should have been locked-up overnight and not left on a desk.

The Massachusetts’ Attorney General entered into an Assurance of Discontinuance with Belmont Savings Bank. As part of the settlement, the bank has to

  • encryp, to the extent technically feasible, all personal information stored on backup data tapes
  • store backup data tapes containing personal information in a secure location
  • effectively train its workforce on the policies and procedures with respect to maintaining the security of personal information

There is no evidence indicating that any customer’s personal information has been acquired or used by an unauthorized person or used for an unauthorized purpose. The Assurance of Discontinuance states that if actual harm to customers results, the Attorney General’s Office will reopen discussions to determine appropriate restitution.

Sources:

Data Breaches and Knowledge Management

One of the features of the new Massachusetts Data Privacy Law is that it forces some knowledge management on companies in the context of data breaches.

Since the law required compliance on or before March 1, 2010, I assume you already have the policy and safeguards in place. That is, if you have social security numbers or financial account information for any Massachusetts resident in your computer systems or files. Yes, the reaches beyond the borders of Massachusetts and is not limited to Massachusetts companies.

201 CMR 17.03(h) and (i) require regular monitoring of your program and a periodic  review of its scope.

201 CMR 17.03(j) goes on to require that you document any responsive actions, have a post-incident review and document any changes to your program after the review. That sounds a lot like knowledge management to me.

The Office of Consumer Affairs and Regulation has published a handy 201 CMR 17.00 Compliance Checklist (.pdf). You should also review and be familiar with the law itself contained in 201 CMR 17.00 Standards for the Protection of Personal Information (.pdf).

Image is by Darwinek in Wikimedia Commons: Flag Map of Massachusetts

Today is the Deadline for the Massachusetts Data Privacy Law

March 1 is the compliance deadline for the Massachusetts Data Privacy Law. 201 CMR 17.00 requires you to be in full compliance on or before January 1, 2009 January 1, 2010 March 1, 2010.

If your company receives, stores, maintains, processes or otherwise has access to “personal information” acquired in connection with employment or with the provision of goods or services to a Massachusetts resident you are subject to the requirements of .

If you have employees or customers in the Commonwealth of Massachusetts, then you are subject to this law. The law is not restricted to companies located in Massachusetts. But if you are located in Massachusetts then you have Massachusetts employees and their personal information, making you subject to the requirements of the law.

The law is a bit watered down since its initial form, but you still need to pay attention to it. There are some reasonableness standards in the requirements that make it easier to comply. You still need a policy, need to inventory your stores of “personal information” and educate your employees about the importance of safeguarding personal information.

The Office of Consumer Affairs and Regulation has published a handy 201 CMR 17.00 Compliance Checklist (.pdf).

You should also review and be familiar with the law itself contained in 201 CMR 17.00 Standards for the Protection of Personal Information (.pdf).

Since today is March 1, you still have a few hours to get things in place to be compliant with the law. If you haven’t done taken the proper steps, stop reading and go do it.

Previous Posts:

Webinar Materials for: Preparing for the strictest privacy law in the nation

INSIGHT_headerforweb3

As a follow up to Wednesday’s lunchtime webinar sponsored by Knowledge Management Associates, I wanted to post some materials for those of you that missed it and for those looking for notes and details.

The slidedeck:

 

Massachusetts General Laws Chapter 93H
http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm

201 CMR 17.00

Click to access 201CMR17amended.pdf

Compliance Building Posts on Mass. Data Privacy
https://www.compliancebuilding.com/tag/mass-data-privacy-law/

Complying with Massachusetts Data Protection Regulations

searchcompliance

The current deadline for complying with the Massachusetts Data Privacy Law is January 1, 2010. Since the law protects personal data of the citizens of the Commonwealth of Massachusetts, its reach extends well beyond the state borders. TechTarget  recently held a  seminar on 201 CMR 17.

It is tough law to deal with. Even its creators are unsure about what it actually says. At the Compliance Decisions conference, a presenter from the state government overstated the requirements of the law: No easy answers for complying with data protection regulations.

Based on some coverage of the seminar, some interesting items came out.

When it comes to wireless standards: “You have to look at what is considered industry back practices. Specific to a wireless control, don’t go out and look at WEP. Don’t go out and look at WPA. Both of those protocols have been breached. You’ve got to go to WPA2.”

When it comes to compliance and enforcement: “It is true that the attorney general is going to decide what is in compliance or not.”

References:

Preparing for the strictest privacy law in the nation: MA Privacy Law 201 CMR 17

INSIGHT_headerforweb3

Join me for a webinar on the Massachusetts Data Privacy Law.

Knowledge Management Associates, LLC is sponsoring a webinar on Preparing for the Strictest Privacy Law in the Nation: MA Privacy Law 201 CMR 17.

  • I will provide an overview of the law.
  • Roberty Boonstra will share some of his best practices around implementation and compliance with the law.
  • Sean Megley, of Knowledge Management Associates, will provide a look at their SharePoint-based compliance management solution to to address 201 CMR 17.00

The webinar will be on July 29, 2009 from 12:30pm – 1:30pm (Boston time). And it’s free. You can register on their webinar registration page.

Amendment to Mass. Data Privacy Law

goodwinprocter_logoGoodwin Procter has published a client alert describing the amendments to the Massachusetts Data Privacy Law (my posts on this topic).

They detail three changes.  First is pushing bck the complaince deadline to January 1, 2010. Second, theyhave lifted some of the contract amendments and certifications from vendors. Third, they clarified the  wireless encryption requirement.

The text of the amended regulations (.pdf).

Massachusetts Amends and Extends Its Data Privacy Law

According to this press release from the Massachusetts Office of Consumer Affairs and Business Regulation, they have once again extended the deadline for complying the with the regulations. Now the regulations will take effect Jan. 1, 2010.

I have not had a chance to analyze the differences yet, but here are the amended regulations under 202CMR 17.00 (.pdf).

Public Hearing on Massachusetts Data Privacy Regulations

The Massachusetts Office of Consumer Affairs and Business has published a Notice of Public Hearing on 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth. (.pdf)

The hearing is on Friday, January 16, 2009 at 2:00 pm in Room No. 5-6, Second Floor of the Transportation Building, 10 Park Plaza, Boston.

Additional Time to Comply with Identity Theft Prevention Regulations

The Massachusetts Department of Consumer Affairs and Business Regulation have extended the deadline for compliance with 201 CMR 17.00: Business Community Given Additional Time to Comply with Identity Theft Prevention Regulations.

The regulations were orginally set to take effect on January 1, 2009. That deadline has been extended to May 1, 2009.  The deadlines for certification from third party providers and ensuring encryption of laptops have been extended to January 1, 2010.

See previous posts: