Additional Time to Comply with Identity Theft Prevention Regulations

The Massachusetts Department of Consumer Affairs and Business Regulation have extended the deadline for compliance with 201 CMR 17.00: Business Community Given Additional Time to Comply with Identity Theft Prevention Regulations.

The regulations were orginally set to take effect on January 1, 2009. That deadline has been extended to May 1, 2009.  The deadlines for certification from third party providers and ensuring encryption of laptops have been extended to January 1, 2010.

See previous posts:

New Data Security Regulations Have Sweeping Implications For Massachusetts Businesses

A white paper written by Joe Laferrera of Gesmer Updegrove LLP New Data Security Regulations Have Sweeping Implications For Massachusetts Businesses (.pdf) provides a great analysis of the new Massachusetts Data Privacy Regulations, their impact and how to deal with them.

These are my prior posts on the new Massachusetts Data Privacy Regulations:

Thanks to Lee Gesmer of MassLawBlog.com for pointing out the article.

Computer System Requirements for New Massachusetts Privacy Regulations

As discussed in earlier alerts (Additional Guidance on the Massachusetts Privacy Regulations, Privacy and Security Alert: Massachusetts Has New Data Security Regulations and New Massachusetts Privacy Laws), starting on January 1, 2009, businesses will be held to a higher standard regarding the protection of Massachusetts residents’ personal information. The regulations set out in detail the required minimum standards to be met by persons or businesses who own, license, store, or maintain personal information about a Massachusetts consumer or employee 201 CMR 17.00. The Standards apply to paper as well as to electronic records.

The regulations have some very specific requirements for computer system security 201 CMR 17.04:

  1. Secure user authentication protocols
  2. Secure access control measures
  3. Encryption of transmitted records and files (to the extent feasible)
  4. Reasonable monitoring of systems (for unauthorized access to personal information)
  5. Encryption of all personal information stored on laptops or other portable devices
  6. Reasonably up-to-date firewall protection for files containing protected information on a system that is connected to the Internet
  7. Reasonably up-to-date versions of system security agent software, which must include malware protection and reasonably up-to-date patches and virus definitions
  8. Education and training of employees on the proper use of the System and the importance of personal information security
  9. Features required for secure user authentication protocols and secure access control measures.

Whistleblowers in France

French privacy law limits the ability to use anonymous hotlines.

In France, the French Data Protection Authority (La Commission Nationale de l’Informatique et des Libertés (CNIL)), an administrative agency, oversees processes involving the collection or compilation of personal data. In 2005 they decided that two reporting procedures were in violation of French privacy law. McDonald’s Corp. and CEAC, a division of Exide Technologies, sought CNIL’s approval of their whistleblower hotline procedures. In June 2005, CNIL announced that these proposed reporting procedures would violate French law and it refused to authorize the use of such procedures. CNIL expressed concerned that anonymous reporting would lead to malicious false reports of misconduct. They determined that the risk of malicious reporting was disproportionate to the benefit of the hotlines.

There is an obligation to file procedures with the CNIL before they are implemented if files or records will be maintained in France.

See Law Flash from Morgan Lewis: Whistleblower Procedures Inconsistent with French, German Law?

Nevada Law on Privacy of Personal Information

A Nevada law requiring encryption of customer personal information went into effect on October 1, 2008. See Nev. Rev. Stat. § 597.970. The legislation is short but potentially wide-ranging in scope.

NRS 597.970 Restrictions on transfer of personal information through electronic transmission. [Effective October 1, 2008.]

1.  A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.

2.  As used in this section:

(a) “Encryption” has the meaning ascribed to it in NRS 205.4742.

(b) “Personal information” has the meaning ascribed to it in NRS 603A.040.

(Added to NRS by 2005, 2506, effective October 1, 2008)

What Is Personal Information?

Nevada law defines “personal information” to mean:

natural person’s first name or first initial and last name in combination with the person’s: social security number; driver’s license number or identification card number; and/or account, credit or debit card number in combination with any security code, access code, or password that would permit access to the person’s financial account.

Nev. Rev. Stat. § 603A.040. Natural person is not limited to Nevada residents.

What is Encryption?

Encryption means

the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:

(Added to NRS by 1999, 2704)

1.  Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;

2.  Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or

3.  Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.

Nev. Rev. Stat. § 205.4742 (2007).

Additional Guidance on the Massachusetts Privacy Regulations

The Massachusetts Office of Consumer Affairs and Business Regulation has provided guidance regarding its new regulations requiring all entities that own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts to develop, implement and maintain a comprehensive written information security program and make specific computer information security requirements. I mentioned the regulations, which have a January 1, 2009 compliance date, previously: New Massachusetts Privacy Laws, Privacy and Security Alert: Massachusetts Has New Data Security Regulations, Massachusetts Regulations to Mandate Comprehensive Information Security Requirements.

The newly issued guidance consists of the following:

New Massachusetts Regulations to Mandate Comprehensive Information Security Requirements

goodwinprocter_logo

Goodwin Procter LLP published a summary of the New Massachusetts Regulations to Mandate Comprehensive Information Security Requirements.

The regulations have broad coverage, applying to all entities that own, license, store or maintain personal information about residents of the Commonwealth of Massachusetts, regardless of whether or not the entity has operations in the Commonwealth. Federally regulated financial and other entities are not exempt from the Massachusetts regulations, raising the question of whether entities that are in compliance with Gramm-Leach-Bliley, HIPAA and/or SEC information security requirements will be considered to meet the new Massachusetts requirements. Significantly, “personal information” has a somewhat limited scope, and is defined as a resident’s first and last name or first initial and last name in combination with a Social Security number, driver’s license number or financial account number. The regulations impose two principal requirements: (i) the duty to develop, implement and maintain a very comprehensive written information security program that meets very specific requirements; and (ii) the obligation to meet specific computer information security requirements.

Privacy and Security Alert: Massachusetts Has New Data Security Regulations

Cynthia Larose, Elissa Flynn-Poppey and Julia M. Siripurapu of Mintz Levin Put together an alert with a a summary of the new Massachusetts Data Security Regulations: Privacy and Security Alert: Massachusetts New Data Security Regulations Effective January 1, 2009.

The alert has a summary of some of the changes to the changes to the regulations since comments were made in january 2008.

Protecting Individual Privacy in the Struggle Against Terrorists

The National Research Council has published a new report finding that all U.S. agencies with counterterrorism programs that collect personal data should be required to evaluate the programs’ effectiveness, lawfulness, and impacts on privacy.

In its press release, they summarize that “Collecting and examining data to try to identify terrorists inevitably involves privacy violations, since even well-managed programs necessarily result in some “false positives” where innocent people are flagged as possible threats, and their personal information is examined.  A mix of policy and technical safeguards could minimize these intrusions, the report says.  Indeed, reducing the number of false positives also improves programs’ effectiveness by focusing attention and resources on genuine threats.”

The report, Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment, is available from The National Acadamies Press in paperback or free online.

“All U.S. agencies with counterterrorism programs that collect or “mine” personal data — such as phone records or Web sites visited — should be required to evaluate the programs’ effectiveness, lawfulness, and impacts on privacy. A framework is offered that agencies can use to evaluate such information-based programs, both classified and unclassified. The book urges Congress to re-examine existing privacy law to assess how privacy can be protected in current and future programs and recommends that any individuals harmed by violations of privacy be given a meaningful form of redress. Two specific technologies are examined: data mining and behavioral surveillance. Regarding data mining, the book concludes that although these methods have been useful in the private sector for spotting consumer fraud, they are less helpful for counterterrorism because so little is known about what patterns indicate terrorist activity. Regarding behavioral surveillance in a counterterrorist context, the book concludes that although research and development on certain aspects of this topic are warranted, there is no scientific consensus on whether these techniques are ready for operational use at all in counterterrorism.”

Read this FREE online!
Full Book | PDF Summary

New Massachusetts Privacy Laws

Governor Patrick signed Executive Order 504 an order regarding the the Security and Confidentiality of Personal Information on September 19, 2008. This order revokes the earlier Executive Order 412.

There are also new state regulations 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth (effective Jan. 1, 2009) implementing M.G.L. c. 93H.

The Executive Order applies to state agencies. It goes further to require all contractors with the state to comply with the requirements. Even further it requires those contractors to require the contractors to require their subcontractors to also comply with the requirements.

The regulations apply to every person that “owns, licenses, stores or maintains personal information about a resident of the Commonwealth.” The regulations require:

“a comprehensive, written information security program applicable to any records containing such personal information.  Such comprehensive information security program shall be reasonably consistent with industry standards, and shall contain administrative, technical, and physical safeguards to ensure the security and confidentiality of such records.”

The regulations also require a designation of “one or more employees to maintain the comprehensive information security program.” Sounds like another task for the Chief Compliance Officer.

Thanks to Lee Gesmer of the Mass Law Blog for pointing this out: New Massachusetts Rules on Identity Theft.