Bingham

Bingham

Massachusetts’ Data Security Regulations Significantly Revised, and Effective Date Extended to March 1, 2010

Other Changes Include “Grandfathering” of Third-Party Service Provider Contracts; “Risk-Based” Implementation Approach

Aug. 19, 2009

As highlighted in Bingham’s Privacy & Security Alerts dated October 31, 2008, November 18, 2008, and February 18, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) has proposed new and expansive regulations (the “Regulations”), codified at 201 CMR 17.00, requiring that persons who “own or license personal information about a resident of the Commonwealth” comply with strict requirements to safeguard such personal information.

The Regulations require entities holding personal information of Massachusetts residents to:

  • establish a comprehensive information security program with “up-to-date” firewall protection and which identifies and assesses reasonably foreseeable internal and external risks to all systems that hold personal information of Massachusetts residents;
  • encrypt, to the extent technically feasible, all wirelessly transmitted data and documents containing personal information sent over the Internet or saved on laptops or flash drives; and
  • take “reasonable steps” to select and retain third-party vendors that have the capacity to maintain appropriate security measures for personal information, and contractually require such vendors to maintain such safeguards in the future.

The Regulations are far reaching, and apply to ANY business that “owns or licenses personal information” about a resident of Massachusetts. (i.e., first name or initial and last name, in conjunction with (1) social security number, (2) drivers license or state-issued identification number, or (3) financial account or credit/debit card number).

On August 17, 2009, the OCABR announced significant revisions to the original Regulations, and extended the compliance deadline from January 1, 2010 to March 1, 2010. The revised Regulations:

  • Adopt a “risk-based” approach that takes into account the particular business’s size, scope, amount of resources, nature and quantity of data collected or stored, and the need for security, rather than mandating every component of the program regardless of the size and nature of the business.
  • Adopt an approach intended to be more consistent with federal regulations and with technological feasibility:
    • Rather than requiring certain specific provisions in a business’s written security program, such provisions are now listed as guidelines. The safeguards contained in the information security program must rather be “consistent with” similar safeguards imposed by applicable state or federal law.
    • For clients in the securities industry, the proposed revisions largely track the SEC’s proposed revisions to Regulation S-P requiring SEC registrants to have, maintain, and monitor a comprehensive security program to protect personal information.
  • Revise the definition of “encryption” to make it more flexible, and impose computer system security requirements relating to encryption “to the extent technically feasible.” According to the OCABR, this means “that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used.”
    • Importantly, the OCABR acknowledges that while there is generally accepted technology for encryption of laptops, “there is little, if any, generally accepted encryption technology for most portable devices” such as PDAs, iPhones, etc.
  • Significantly revise the provisions governing the oversight of third-party service providers.
    • Businesses must “take reasonable steps to select and retain” third-party service providers capable of maintaining appropriate security measures “consistent with these regulations and any applicable federal regulations.” These provisions are now expressly modeled after the third-party vendor provisions in the FTC’s Safeguards Rule.
    • “Service providers” are limited to those that provide services “directly to a person that is subject to” the Regulations. As a result, businesses do not have a direct responsibility under the Regulations to ensure that subcontractors retained by direct contractors comply with the Regulations.
    • Third-party service providers are still required to contractually agree to implement and maintain appropriate security measures. However, the new Regulations provide a “grandfathering” exemption for any third-party service provider contracts entered into prior to March 1, 2012. Those contracts will be deemed to be in compliance with the regulations even without a clause that requires the third-party service provider to maintain appropriate security measures, so long as the contact was entered into prior to March 1, 2010. This eliminates the possibility under the prior regulations that would have caused companies to retroactively modify existing third-party service provider contracts.
  • Are now limited to persons who “own or license” personal information about Massachusetts residents in connection with the provision of goods or services or in connection with employment. While it extends to those who “receive, maintain, process, or otherwise have access to” personal information, it does not cover natural persons who are not engaged in commerce.
    • Note: Businesses that merely “swipe” but do not retain credit card information are not considered to “own or license” that information so long as the data is batched out in accordance with Payment Card Industry (PCI) standards.

On a paragraph-by-paragraph basis, the key revisions include:

Section 17.02 Definitions:

    • The term encryptednow omits the requirement that data be transformed “through the use of an algorithmic process, or an alternative method at least as secure.” The Regulations now define “encrypted” as: “the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.”
    • “Owns or licenses” was added as a defined term, and covers any person who “receives, maintains, processes, or otherwise has access to personal information in connection with the provisions of goods or services or in connection with employment.”
    • “Service provider” was also added as a defined term. A service provider is defined as “any person that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation.” Additionally, the U.S. Postal Service is explicitly excluded from being deemed a “service provider”.

Section 17.03(1)(2) Duty to Protect and Standards for Protecting Personal Information:

    • Certain specific provisions previously required to have been included in the comprehensive information security program (e.g., deactivating passwords and user names of departed employees) have been omitted. Safeguards must instead “be appropriate” to the business’s size and scope, etc., and be “consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.”

Section 17.03(2)(f) Third-Party Vendors:

    • Covered persons must oversee third-party service providers by: “[t]aking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations.”
    • Oversight also includes “requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that any contract a person has entered into with a third party service provider prior to March 1, 2012, shall be deemed to be in compliance herewith, notwithstanding the absence in any such contract of a requirement that the service provider maintain such protective security measures, so long as the contract was entered into before March 1, 2010.”

Section 17.04 Computer System Security Requirements:

    • All computer system security requirements — not just those for encryption — are to be employed “to the extent technically feasible.”

A public hearing on the Regulations will commence at 10:00 a.m. on Tuesday September 22, 2009, in Room No. 5-6, Second Floor of the Transportation Building, Ten Park Plaza Boston, Massachusetts 02116.

To review a redlined version showing the changes made to the Regulations, click here.

To review the OCABR Answers to Frequently Asked Questions regarding the revised regulations filed on August 17, 2009, click here.

Bingham’s Privacy and Security Group helps companies in a broad range of industries comply with a complex array of data protection and privacy laws, regulations and standards. We have successfully handled numerous major data breach matters in a variety of jurisdictions.

For further information please contact one of the following lawyers:

Mark E. Robinson, Partner
mark.robinson@bingham.com, 617.951.8018

Circular 230 Disclosure: Internal Revenue Service regulations provide that, for the purpose of avoiding certain penalties under the Internal Revenue Code, taxpayers may rely only on opinions of counsel that meet specific requirements set forth in the regulations, including a requirement that such opinions contain extensive factual and legal discussion and analysis. Any tax advice that may be contained herein does not constitute an opinion that meets the requirements of the regulations. Any such tax advice therefore cannot be used, and was not intended or written to be used, for the purpose of avoiding any federal tax penalties that the Internal Revenue Service may attempt to impose.

Back To Top

Legal insight. Business instinct. Global intelligence. ®