Now that you’ve seen what ACA Insight has to offer, don’t be without it. Subscribe now!

The weekly news source for investment management legal and compliance professionals

Current subscribers - please log in to the website in the upper right-hand corner

News February 15, 2010 Issue

Compliance Deadline Looms For Massachusetts Data Privacy Law

For such a relatively small state, Massachusetts has a big change coming in its data privacy law.

The new regulation has probably been on your radar since September 2008 when it was adopted. Then you cheerfully pushed it back to the bottom of the already too-high pile each time the compliance deadline was extended as Massachusetts struggled to revise away some of the regulationís more "unworkable" and "unduly burdensome" requirements.

No such luck anymore.

If youíve got an employee or a client who is a Massachusetts resident, the Massachusetts Data Privacy Act (201 CMR 17) applies to you. And come March 1, you must have a security program in place that complies with it.

Unlike the comprehensive regulatory approaches taken by the EU and Canada, the U.S. leaves data privacy policy issues largely up to the states (Regulations S-P and S-AM notwithstanding). In the states, the legal landscape in data privacy law has been shifting from breach disclosure to proactive security regimes.

Since California got the ball rolling in 2003, now forty-five states, the District of Columbia, Puerto Rico and the U.S. Virgin Islands require notice to individuals when the security of their personal information is compromised. A number of states have since been raising their games.

Among them, in 2007, California enhanced its breach disclosure regulation to require "reasonable security measures" to protect data privacy. Nevada adopted data encryption requirements in 2008, and has since augmented its regulation to include the establishment of a full-blown data privacy protection program.

Now comes Massachusetts, which, after a few adjustments, has succeeded in moving to proactive data security requirements to protect personal information (PI). "Massachusetts and Nevada are leading the charge by requiring businesses to take specific, affirmative steps to protect personally identifiable information," said Proskauer associate and expert on state data privacy issues Brendon Tavelli.

The new regulation applies to any person that "owns or licenses" a Massachusetts residentís PI.

Personal information is defined as a personís first and last name, or first initial and last name, in combination with one or more of the following:

  • Social security number
  • Drivers license number or state-issued i.d. card number
  • Financial account number
  • Credit or debit card number

There is a carve-out for information that is "lawfully obtained from publicly available information."

The centerpiece of the new Massachusetts regulation is the requirement to establish a written information security program (WISP). The program must include administrative, technical and physical safeguards appropriate to the organizationís size, scope and type of business, the amount of stored information, and the need for security and confidentiality of both consumer and employee information.

As a result, complying WISPs can take many forms. However, some key elements must be present in each program.

Covered businesses must designate one or more employees to maintain and oversee the program.

The program must identify and assess reasonably foreseeable risks to business records of all types (electronic, paper, etc.) that contain PI.

Access to PI should be restricted on a need-to-know basis. Disciplinary measures for program violations must be implemented, as well as protocols to immediately block all access to PI for terminated employees. Policies must be developed relating to the off-site storage, access and transportation of records containing PI.

Service providers must be overseen as part of the WISP, and the service providers themselves must be obligated by contract to have their own "appropriate security measures for personal information."

The WISP must be reviewed at least annually and whenever a material change in business occurs that could implicate the security or integrity of PI records. The program must evaluate and improve its safeguards, through means such as ongoing employee training and compliance with policies and procedures, and detecting and preventing security system failures.

Breach incidents and responses must be documented, with a mandatory "post-incident review" of the event and any action that was taken.

Common areas of breach exposure include:

  • Network hacking;
  • Lost or stolen laptops;
  • Mobile devices lacking security features or sufficient security features;
  • Insecure media disposal;
  • Insecure wireless networks;
  • Botched software updates or upgrades;
  • And that old standby, human error.

There are some "duh" elements in the regulation, too.

If you store your information electronically, you must maintain up-to-date antivirus software, firewalls, and security patches. Youíve got to have some form of encryption protecting your data, including at access points such as laptops and wireless networks. Youíve got to monitor your system for incidences of unauthorized access, and make sure your employees are trained on how to use the system and the importance of protecting PI.

The new regulation recognizes the wide variety of businesses that will be affected, and addresses that by adding a measure of reasonability. Under this so-called risk-based approach, your program can identify and apply only to the specific records, computing systems or storage media that contain PI, or you can determine to subject all business records to the program. Security systems for electronic data must be implemented "to the extent technically feasible." The WISP itself must be designed in consideration of "the amount of resources available to such person." notes that Massachusetts regulators David Murray and Gerry Young, who crafted the new regulation, have emphasized that the burden it imposes is directly related to the size of a business and the amount of PI the business maintains. "Your job," says the web site, "is to apply the right amount of Ď201 CMR 17-nessí to keep safe the PI your organization handles."

Risk-based approaches are all the rage in these fiscally constrained times, and the decision-making that is part of that approach has never been more important. At critical junctures in your program, it might be a good idea to document why you chose to go the way you did. "Undocumented controls wonít satisfy the rule," said ACA Compliance Group principal consultant Joshua Broaded. He suggests that firms should start by documenting what they already do, and then adding documented refinements as necessary to meet the requirements of the Massachusetts regulation.