Schlossberg & Associates, LLC
Report From Counsel
Winter 2009 Edition
The New Massachusetts Data Security Law Applies to You!
By Scott I. Wolf, Esq.

Massachusetts has charged ahead with a very strict information privacy law that will almost certainly affect your Massachusetts business. While the law (MGL 93H) has been on the books for a year, the Attorney General’s office has finally issued regulations, which will go into effect on May 1, 2009. In essence, the law requires that (i) any business or person who holds or maintains the “personal information” of a resident of Massachusetts must maintain a comprehensive written plan on how to deal with that information and that (ii) businesses maintain technical standards with respect to electronic information.

Safeguard of Personal Information

Personal information is defined as a person’s last name plus any one of the following: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. This includes, for example, a business’s internal personnel records, credit card receipts, whether they be hard copies or electronic copies, customer invoices, and employment or credit applications, whether or not approved to name a few.

The comprehensive written plan requires each of the following items to be addressed and/or implemented:
  1. Designating one or more employees to maintain the comprehensive information security program.
  2. Identifying and assessing reasonably foreseeable internal and external risks to the integrity of records containing personal information, and evaluating and improving safeguard.
  3. Developing security policies for employees who take personal information off business premises.
  4. Imposing disciplinary measures for violations.
  5. Preventing terminated employees from accessing personal information.
  6. Taking reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information including (i) selecting and retaining service providers that are capable of maintaining safeguards for personal information; and (ii) contractually requiring service providers to maintain such safeguards.
  7. Limiting the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected; limiting the time such information is retained to that reasonably necessary to accomplish such purpose; and limiting access to those persons who are reasonably required to know such information in order to accomplish such purpose or to comply with state or federal record retention requirements.
  8. Identifying what records contain personal information, except where the comprehensive information security program provides for the handling of all records as if they all contained personal information.
  9. Reasonable restrictions upon physical access to records containing personal information, including a written procedure that sets forth the manner in which physical access to such records is restricted; and storage of such records and data in locked facilities, storage areas or containers.
  10. Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.
  11. Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
  12. Documenting responsive actionsany incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.
This onerous list is mandatory, and while consumers do not have a per se right to sue, consumers would likely have negligence claims against businesses whose release of personal information resulted in a financial or other injury to a Massachusetts resident. Further, the Attorney General can enforce compliance with this law under the Consumer Protection Act, though we feel it is more likely the Attorney General would pursue serious data breaches, like the one that occurred with TJX.

Computer/Electronic Information Protocols

The regulation also sets forth detailed requirements to protect personal information that is stored electronically, whether it be on a server, a laptop, a flash drive, cell phone, or pda. The written plan described above requires the business to maintain control over user Ids and passwords, and ensuring that passwords are secure, which means that they should be changed frequently, and randomly assigned. The program also requires lock-out provisions for unsuccessful login attempts, detailed controls to limited access to personal information, monitoring for unauthorized access to files containing personal information, encryption of all personal information that leaves the business premises physically or by electronic communication (e.g. email), and perhaps most importantly “ reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information [and] reasonably up-to-date versions of system security agent software which must include malware protection and reasonably upto- date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

Each you who is reading this likely needs to take a hard look at your current computer system, in consultation with a professional IT consultant to make sure you have proper systems in place to protect personal information.

We at Schlossberg & Associates are preparing master plans that can be customized to fit your particular needs. We do not believe that there is a one size fits all approach to these plans, and will provide you with updates as we get them. Our recommendation for the 1st half of 2009 is to review your business operations with an eye to identifying where and how you collect and store personal information, as that will determine the complexity to the plan you will be required to implement.

Please contact Scott Wolf, Esq. or Jenifer Pinkham, Esq. at 781-848-5028 if you would like to discuss the regulations in more detail.

A full copy of the regulations is available at http://www.mass.gov/Eoca/docs/ idtheft/201CMR17amended.pdf