Mass. Data Privacy Law – Compliance Building

Data Breaches in Massachusetts

Through September 30, 2011, the largest share of breaches was not in the financial sector, but in the retail and healthcare industries, along with government. On October 31, 2007, the Commonwealth’s Data
Security Breach Law, Mass. Gen. Law c. 93H, went into effect. On March 1, 2010, the Office of Consumer Affairs and Business Regulation’s Data Security Regulations, 201 CMR 17.00, went into effect.

The Office of Consumer Affairs and Business Regulation has been tracking the data breach notifications it has received under the law. As of Sept. 30, 2011, there had been 1,833 notifications of security breaches. The number of Massachusetts residents affected by the reported incidents since November 1, 2007 now totals 3,166,031. (I’m not sure if the report is double counting “resident” who may be involved in more than one data breach. After all, there are fewer than 7 million residents in Massachusetts.)

The biggest breach in 2011 was the Sony Playstation network incident which affected 560,990 residents. The second largest came from the state itself when 245,000 residents were affected by a large malware data breach in the Department of Unemployment Assistance. That puts entertainment and state government into the top two slots for breach types in 2011 and the third and fourth place for breaches since 2007. Health care and financial services are the leading industry for breaches.

Sources:

2011 Data Breach Notifications Report (.pdf) from the Massachusetts Office of Consumer Affairs and Business Regulation
Massachusetts Reports on Data Breaches for 2007-2011 by Colin J. Zick in Foley Hoag’s Security, Privacy and the Law blog

Enforcement of the Massachusetts Data Privacy Law

It’s been almost 18 months since the Massachusetts Data Privacy Law went into effect. Belmont Savings Bank has become one of the first charged with violating the law.

Belmont Savings Bank maintained personal information on an unencrypted backup data tape and then lost the tape. According to surveillance footage the tape was likely discarded inadvertently by the overnight clearing crew and sent to the incinerator.

There were several rounds of changes between the first version of 201 CMR 17.00 and the final one. One central element was the requirement that there be written information security plan in place if your company has “personal information” on a Massachusetts resident. Obviously, you need to comply with the plan.

In this case, Belmont Savings Bank has the plan. But they failed to comply with it. The data tape should have been locked-up overnight and not left on a desk.

The Massachusetts’ Attorney General entered into an Assurance of Discontinuance with Belmont Savings Bank. As part of the settlement, the bank has to

encryp, to the extent technically feasible, all personal information stored on backup data tapes
store backup data tapes containing personal information in a secure location
effectively train its workforce on the policies and procedures with respect to maintaining the security of personal information

There is no evidence indicating that any customer’s personal information has been acquired or used by an unauthorized person or used for an unauthorized purpose. The Assurance of Discontinuance states that if actual harm to customers results, the Attorney General’s Office will reopen discussions to determine appropriate restitution.

Sources:

Massachusetts Attorney General Announces $7,500 Data Breach Settlement with Belmont Savings Bank in Hunton & Williams’ Privacy and Information Security Law Blog
Massachusetts AG Says Having a WISP is Not Enough to Comply With Massachusetts Data Security Regulations by Amy Crafts in Proskauer’s Privacy Law Blog
Assurance of Discontinuance in the Matter of Belmont Savings Bank (.pdf – 5 pages)
Today is the Deadline for the Massachusetts Data Privacy Law – prior story in Compliance Building

Data Breaches and Knowledge Management

One of the features of the new Massachusetts Data Privacy Law is that it forces some knowledge management on companies in the context of data breaches.

Since the law required compliance on or before March 1, 2010, I assume you already have the policy and safeguards in place. That is, if you have social security numbers or financial account information for any Massachusetts resident in your computer systems or files. Yes, the reaches beyond the borders of Massachusetts and is not limited to Massachusetts companies.

201 CMR 17.03(h) and (i) require regular monitoring of your program and a periodic review of its scope.

201 CMR 17.03(j) goes on to require that you document any responsive actions, have a post-incident review and document any changes to your program after the review. That sounds a lot like knowledge management to me.

The Office of Consumer Affairs and Regulation has published a handy 201 CMR 17.00 Compliance Checklist (.pdf). You should also review and be familiar with the law itself contained in 201 CMR 17.00 Standards for the Protection of Personal Information (.pdf).

Image is by Darwinek in Wikimedia Commons: Flag Map of Massachusetts

Today is the Deadline for the Massachusetts Data Privacy Law

March 1 is the compliance deadline for the Massachusetts Data Privacy Law. 201 CMR 17.00 requires you to be in full compliance on or before ~~January 1, 2009~~ ~~January 1, 2010~~ March 1, 2010.

If your company receives, stores, maintains, processes or otherwise has access to “personal information” acquired in connection with employment or with the provision of goods or services to a Massachusetts resident you are subject to the requirements of 201 CMR 17.00.

If you have employees or customers in the Commonwealth of Massachusetts, then you are subject to this law. The law is not restricted to companies located in Massachusetts. But if you are located in Massachusetts then you have Massachusetts employees and their personal information, making you subject to the requirements of the law.

The law is a bit watered down since its initial form, but you still need to pay attention to it. There are some reasonableness standards in the requirements that make it easier to comply. You still need a policy, need to inventory your stores of “personal information” and educate your employees about the importance of safeguarding personal information.

The Office of Consumer Affairs and Regulation has published a handy 201 CMR 17.00 Compliance Checklist (.pdf).

You should also review and be familiar with the law itself contained in 201 CMR 17.00 Standards for the Protection of Personal Information (.pdf).

Since today is March 1, you still have a few hours to get things in place to be compliant with the law. If you haven’t done taken the proper steps, stop reading and go do it.

Previous Posts:

Data Accountability and Trust Act Passed by House

I'm just a bill from Schoolhouse Rock

The Data Accountability and Trust Act (H.R. 2221) was passed by the House on Tuesday. This act would requires the Federal Trade Commission to promulgate regulations requiring each person engaged in interstate commerce that owns or possesses electronic data containing personal information to establish security policies and procedures.

This bill would preempt any state laws in the area, wiping out the Massachusetts Data Privacy Law [Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)].

I thinks its a good thing to have a national standard in this area. The transient nature of personal data makes it hard to associate with a particular state. That means the most restrictive of the various state laws ends up becoming the national standard.

The downside is that we would have to wait for the FTC to draft the rules, go through the comment period and wait for implementation.

Of course, the Data Accountability and Trust Act is not the law yet. As I learned in School House Rock, H.R. 2221 is singing:

I’m just a bill.
Yes, I’m only a bill.
And I’m sitting here on Capitol Hill.
Well, it’s a long, long journey
To the capital city.
It’s a long, long wait
While I’m sitting in committee,
But I know I’ll be a law someday
At least I hope and pray that I will,
But today I am still just a bill.

Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)

Massachusetts-State-House

Massachusetts has revised its data privacy regulations one more time. The revised regulations are less demanding that the original version released over a year ago. But this law is the strictest in the country and will be the de facto law of the land for many companies.

Office of Consumer Affairs and Business Regulation released a press release announcing that revised regulations have been filed with the Secretary of State and published on the OCABR website.

Fortunately, Gabriel M. Helmer of Foley Hoag’s Security & Privacy practice produced a redline showing the changes.

There are very few changes to the regulations that were released in August:

The Massachusetts Data Privacy regulations apply to anyone who “stores” personal information, in addition to those who receive, maintain, process, or otherwise have access to personal information.
Service Providers include anyone who “stores” personal information through their provision of services to anyone is subject to the regulations, in addition to those who receive, maintain, process, or otherwise are permitted access to personal information.
The U.S. Postal Service is no longer expressly excluded from the definition of “Service Providers.”
Service Provider agreements entered into before March 1, 2010 do not have to be amended to comply with these regulations until March 1, 2012.

The effective date is still March 1, 2010.

The regulations apply to personal information of Massachusetts residents. The reach of the regulations is not limited to businesses in Massachusetts.

References:

Text of the Regulations: 201 CMR 17.00
Redline showing the latest changes to the regulations
Press Release – Patrick Administration’s Final Data Security Regulations Filed and Take Effect March 1, 2010; State Received Notice of More than 1 Million Instances of Exposure in Two Years
Massachusetts Amends Strict Data Privacy Law (Again) – prior post
Massachusetts Finally Finalizes Data Security Regulations – We Think by Kristen J. Mathews for the Privacy Law Blog
Massachusetts Regulators Finalizing Information Security Regulations, Keep March 1, 2010 Deadline by Gabriel M. Helmer for Security, Privacy and The Law

Massachusetts Amends Strict Data Privacy Law (Again)

Massachusetts-State-House

UPDATE: Another revision was published on November 5, 2009. See: Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)

The Massachusetts’ Office of Consumer Affairs and Business Regulation has decided to amend the strict data privacy law and extend the deadline for compliance. This is yet another amendment to the regulations. The last amendment had extended the compliance deadline to January 1, 2010.

In keeping with Governor Deval Patrick’s commitment to balancing consumer protection with the needs of small business owners, the adjustments to Massachusetts’ identity theft regulations allow some flexibility in compliance by small businesses. The regulations now have a risk-based approach that may make it easier on small businesses that may not handle a lot of personal information about customers. Under a risk-based approach, a business, in developing a written security program, can take into account its size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations.

Key amendments to 201 CMR 17.00 include:

Section 17.01 (1) Purpose of the regulation was amended to include language from M.G.L. 93H.

Section 17.01 (2) Scope of the regulations was revised to cover “persons who own or license personal information”. Section removes previous regulatory language related to those that “store or maintain personal information”.

Section 17.02 Encryption definition was amended to be technology neutral. A definition for the term “owns and licenses” was added to focus the protection of personal information in “connection with the provision of goods or services or in connection with employment”. A new definition for the term “service provider” was added.

Section 17.03 (1) Duty to protect rules look to address size and scope of a firm within the development and implementation of a written information security plan. (2) Amends and removes some requirements for the written information security plan. (f) Amends third party vendor rules and provides a two year window relative to contracts and requirements for compliance.

Section 17.04 Amends computer requirements for persons that own or license personal information to develop a written information security plan “that at a minimum, and to extent technologically feasible, shall have the following elements”.

Section 17.05 Amends the effective date of the regulations to March 1, 2010.

There will be a hearing on the revised regulations commencing at 10:00 a.m. on Tuesday September 22, 2009, in Room No. 5-6, Second Floor of the Transportation Building, Ten Park Plaza Boston, Massachusetts 02116. Interested parties will be afforded a reasonable opportunity at the hearing to present oral or written testimony. Written comments will be accepted up to the close of business on September 25, 2009. Such written comments may be mailed to: Office of Consumer Affairs and Business Regulation, 10 Park Plaza, Suite 5170, Boston, MA 02116, Attention: Jason Egan, Deputy General Counsel, or e-mailed to [email protected].

References:

Revised Regulations
Press Release: Small-Business Considerations Reflected in Massachusetts’ Revised ID Theft Regulations
State Revises Data Security Regulations from Associated Industries of Massachusetts
201 CMR 17 FAQ: Updates to Massachusetts data protection law by Alex Howard for SearchCompliance.com

Webinar Materials for: Preparing for the strictest privacy law in the nation

As a follow up to Wednesday’s lunchtime webinar sponsored by Knowledge Management Associates, I wanted to post some materials for those of you that missed it and for those looking for notes and details.

The slidedeck:

KMA Insights Webinar July 2009 — Compliance with MA Privacy Law

View more presentations from Knowledge Management Associates, LLC.

Massachusetts General Laws Chapter 93H
http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm

201 CMR 17.00

Click to access 201CMR17amended.pdf

Compliance Building Posts on Mass. Data Privacy
https://www.compliancebuilding.com/tag/mass-data-privacy-law/

Complying with Massachusetts Data Protection Regulations

The current deadline for complying with the Massachusetts Data Privacy Law is January 1, 2010. Since the law protects personal data of the citizens of the Commonwealth of Massachusetts, its reach extends well beyond the state borders. TechTarget recently held a seminar on 201 CMR 17.

It is tough law to deal with. Even its creators are unsure about what it actually says. At the Compliance Decisions conference, a presenter from the state government overstated the requirements of the law: No easy answers for complying with data protection regulations.

Based on some coverage of the seminar, some interesting items came out.

When it comes to wireless standards: “You have to look at what is considered industry back practices. Specific to a wireless control, don’t go out and look at WEP. Don’t go out and look at WPA. Both of those protocols have been breached. You’ve got to go to WPA2.”

When it comes to compliance and enforcement: “It is true that the attorney general is going to decide what is in compliance or not.”

References:

Preparing for the strictest privacy law in the nation: MA Privacy Law 201 CMR 17

INSIGHT_headerforweb3

Join me for a webinar on the Massachusetts Data Privacy Law.

Knowledge Management Associates, LLC is sponsoring a webinar on Preparing for the Strictest Privacy Law in the Nation: MA Privacy Law 201 CMR 17.

I will provide an overview of the law.
Roberty Boonstra will share some of his best practices around implementation and compliance with the law.
Sean Megley, of Knowledge Management Associates, will provide a look at their SharePoint-based compliance management solution to to address 201 CMR 17.00

The webinar will be on July 29, 2009 from 12:30pm – 1:30pm (Boston time). And it’s free. You can register on their webinar registration page.