Amendment to Mass. Data Privacy Law

goodwinprocter_logoGoodwin Procter has published a client alert describing the amendments to the Massachusetts Data Privacy Law (my posts on this topic).

They detail three changes.  First is pushing bck the complaince deadline to January 1, 2010. Second, theyhave lifted some of the contract amendments and certifications from vendors. Third, they clarified the  wireless encryption requirement.

The text of the amended regulations (.pdf).

Massachusetts Amends and Extends Its Data Privacy Law

According to this press release from the Massachusetts Office of Consumer Affairs and Business Regulation, they have once again extended the deadline for complying the with the regulations. Now the regulations will take effect Jan. 1, 2010.

I have not had a chance to analyze the differences yet, but here are the amended regulations under 202CMR 17.00 (.pdf).

Decoding the Science of Compliance — Are you Ready for 201 CMR 17.00?

Compliance Week broadcast a webcast on the new Massachusetts data privacy regulations: Decoding the Science of Compliance — Are you Ready for 201 CMR 17.00? (and sponsored by Iron Mountain).

Garry Watzke, Esq., Senior Vice President Legal & Business Development at Iron Mountain, Inc. started with the basics which I have noted in several other places:

John Jamison, Vice President Consulting Services at Iron Mountain, Inc. moved on to implementation challenges. He points out that this is not a pure IT project. There is no single tool that provides coverage across the multiple platforms in most businesses. There is IT, but there is also a business-wide program that needs to be in place and maintained.

Garry points out that you need to maintain employee compliance and have a way to detect and prevent system failures.

See also these prior posts:

Bingham Presentation on Massachusetts Data Security Law

bingham_logoBingham McCuthen LLP put together a panel presentation on the Complying with Massachusetts New Data Security Regulations.

Mark Robinson, a partner at Bingham, started with an introduction of the law and panel. He called the law “perilous.”

Beth Boland, a partner at Bingham, went through the requirements of the new law. OCBR and the business community seem to be at a disconnect over the law. OCBR thinks that they are not a big deal. They cite a statistic that there were over 318 reported breaches that affects more than 500 Massachusetts residents during a 10 month period when they were considering the law. [See Report of M.G.L. Chapter 93h Notifications (.pdf)]

Beth highlighted the limitation that data should only be collected that is “reasonable necessary to accomplish the legitimate purpose for which it is collected” 201 CMR §17.03(g) is unique to Massachusetts.

Beth highlights one of the pitfalls being the cascading certifications. First, there is no standard for certification. She expects there will be some battle over acceptable forms. Second, you need to folow the certification process all the way down the chain of custody to your providers, the sub-providers, the sub-sub providers, etc.

Beth highlighted that May 1, 2009 is deadline for getting contractual agreement that service providers will comply and January 1, 2010 is the deadline for getting a compliance certification.

Doug Schwarz, a partner at Bingham,  pointed out that in some organizations, the requirements will mostly affect Human resources and that HR may end up driving the process instead of IT.

Data Privacy Roundtable

Deloitte hosted an executive roundtable on Massachusetts Data Protection. The room was packed full of us trying to figure what to do with these regulations.

Mark Schreiber of Edwards Angell Palmer & Dodge kicked things off with a look at the history of the regulation and the regulators view of the regulations. The regulators acknowledge that the regulations are burdensome. Tough!! they say. “Look at all of the data breaches!”

The regulations started with the MGL c. 93H addressing data breaches and Section 2(a) of MGL c. 93H providing for the promulgation of regulations.  Waht came out were some of the toughest regulations in the country. There are no exemptions for industry, sector or size. If you have personal information on a Massachusetts resident you need to comply. That means every company with operations in Massachusetts and any company with information on a Massachusetts resident. These regulations go beyond the Red Flag Rules from the FTC.

Companies to address whether they are going to implement full enterprise protection or merely selective protection. If you can isolate the data on Massachusetts people you can treat that differently than other data.

The panelists also brought up the concept of “data in motion” versus “data at rest.”  You need to look at how you are transmitting data as well as how it is stored.

What happens if you do not comply? There is no private right of action under the statute or regulations. But there will be law suits under these statutes. The panel foresees two types of class action suits coming out the law. One will be a negligence claim for allowing a data breach. The law creates the standard. Failure to comply with the law is negligence per se. They also see suits over the failure to properly notify the individuals affected by the data breach.

Audience poll: How many have a team assembled to implement the new regulations:

  • 72% Yes
  • 24% No
  • 4%  Not sure

Audience poll: How many have read the new regulations and guidance:

  • 45% Yes
  • 55% No

Audience poll: How many have addressed whether to do selective encryption or selective protection:

  • 29% Yes
  • 62% No
  • 9% Not sure

Everyone who said yes has decided to use encryption.

The panel moved on to stress the importance of ownership of the Written Information Security Policy required by the law. You need to address the physical requirements as well as the electronic requirements. This requires a team approach, including HR, compliance, IT and building security.

You also need to focus on how to handle data security breaches. The Massachusetts statute as well as other states have a very short time frame for notification. less than half the audience had a well defined plan or even a somewhat defined plan.

On the training front, you need to decide on a discipline for failure to comply. You also need to decide who to train and the level of training.

Audience poll: How many have training programs on information security:

  • 30% Training for all employees
  • 13% Training for selected employees
  • 52% None
  • 5%  Not sure

The paradigm of the Massachusetts law is that you should only collect the information you need, store it for only the time needed and make it available only to the people who need it.

In assessing the biggest challenges to complying with the law the audience found indentifying and assessing risks to be the biggest challenge.  53% of the audience has not done an audit of personal information sources. 49% of the audience does not monitor access to personal information.

Vendor management is another big issue under the law. If you share personal data with vendors, they need to be in compliance with the law. The law requires a certification of compliance, but there is no standard form of certificate. the firs step is to identify vendors and then to assess the risk profile for that vendor.  59% of the audience had not identified vendors that handle personal data.

As part of vendor management, you will need to continually monitor vendors that share personal data. You need to negotiate compliance into the vendor agreements and include oversight provisions. You need to incorporate vendor risk management as part of the governance program.

Public Hearing on Massachusetts Data Privacy Regulations

The Massachusetts Office of Consumer Affairs and Business has published a Notice of Public Hearing on 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth. (.pdf)

The hearing is on Friday, January 16, 2009 at 2:00 pm in Room No. 5-6, Second Floor of the Transportation Building, 10 Park Plaza, Boston.

Additional Time to Comply with Identity Theft Prevention Regulations

The Massachusetts Department of Consumer Affairs and Business Regulation have extended the deadline for compliance with 201 CMR 17.00: Business Community Given Additional Time to Comply with Identity Theft Prevention Regulations.

The regulations were orginally set to take effect on January 1, 2009. That deadline has been extended to May 1, 2009.  The deadlines for certification from third party providers and ensuring encryption of laptops have been extended to January 1, 2010.

See previous posts:

New Data Security Regulations Have Sweeping Implications For Massachusetts Businesses

A white paper written by Joe Laferrera of Gesmer Updegrove LLP New Data Security Regulations Have Sweeping Implications For Massachusetts Businesses (.pdf) provides a great analysis of the new Massachusetts Data Privacy Regulations, their impact and how to deal with them.

These are my prior posts on the new Massachusetts Data Privacy Regulations:

Thanks to Lee Gesmer of MassLawBlog.com for pointing out the article.

Computer System Requirements for New Massachusetts Privacy Regulations

As discussed in earlier alerts (Additional Guidance on the Massachusetts Privacy Regulations, Privacy and Security Alert: Massachusetts Has New Data Security Regulations and New Massachusetts Privacy Laws), starting on January 1, 2009, businesses will be held to a higher standard regarding the protection of Massachusetts residents’ personal information. The regulations set out in detail the required minimum standards to be met by persons or businesses who own, license, store, or maintain personal information about a Massachusetts consumer or employee 201 CMR 17.00. The Standards apply to paper as well as to electronic records.

The regulations have some very specific requirements for computer system security 201 CMR 17.04:

  1. Secure user authentication protocols
  2. Secure access control measures
  3. Encryption of transmitted records and files (to the extent feasible)
  4. Reasonable monitoring of systems (for unauthorized access to personal information)
  5. Encryption of all personal information stored on laptops or other portable devices
  6. Reasonably up-to-date firewall protection for files containing protected information on a system that is connected to the Internet
  7. Reasonably up-to-date versions of system security agent software, which must include malware protection and reasonably up-to-date patches and virus definitions
  8. Education and training of employees on the proper use of the System and the importance of personal information security
  9. Features required for secure user authentication protocols and secure access control measures.

Additional Guidance on the Massachusetts Privacy Regulations

The Massachusetts Office of Consumer Affairs and Business Regulation has provided guidance regarding its new regulations requiring all entities that own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts to develop, implement and maintain a comprehensive written information security program and make specific computer information security requirements. I mentioned the regulations, which have a January 1, 2009 compliance date, previously: New Massachusetts Privacy Laws, Privacy and Security Alert: Massachusetts Has New Data Security Regulations, Massachusetts Regulations to Mandate Comprehensive Information Security Requirements.

The newly issued guidance consists of the following: