Employment Law Bulletin
Compliance with Data Security Regulations and Other Related Laws
If your business collects, stores or transmits personal information of a Massachusetts resident defined as a combination of a Massachusetts resident’s name with social security number, bank account number, credit card number, driver license or state-issued identification card number (“Personal Information”), then you only have until March 1, 2010 to achieve compliance with the new data security regulations (201 CMR 17.00). The regulations are designed to work in conjunction with two related statutes regarding the protection of Personal Information: Security Breaches Notification Law, M.G.L. Chapter 93H (“Chapter 93H”), and the Disposition and Destruction of Records Law, M.G.L. Chapter 93I (“Chapter 93I”). Chapter 93H authorized the Commonwealth’s Office of Consumer Affairs and Business Regulation (“OCABR”) to adopt regulations designed to safeguard Personal Information. While the OCABR has extended the deadline and revised the regulations a number of times since its initial publication in September 2008, it is apparent that the March 1, 2010 deadline is now firm.
Data Security Regulations
The regulations require that any person or business that owns or licenses Personal Information develop a written comprehensive information security program (“WISP”). The WISP must contain administrative, technical, and physical safeguards that are appropriate for the i) size, scope and type of business; ii) the amount of resources available; ii) the amount of stored data; and iv) the need for security and confidentiality of Personal Information. The safeguards in a WISP must be consistent with safeguards for protection of Personal Information and other confidential information set forth in any state or federal regulations that may apply to the business.
The WISP must contain:
- Designation of Information Security Officer(s);
- Identification and assessment of reasonably foreseeable internal and external risks to the security of Personal Information;
- Development of policies for employees transporting Personal Information outside of business premises;
- Discipline of employees for security violations;
- Prevention of terminated employees from accessing Personal Information;
- Oversight of all third-party service providers who have access to Personal Information to ensure they are compliant with the regulations;
- Reasonable restrictions on physical access to Personal Information;
- Regular monitoring of the WISP;
- Annual review of the scope of security measures; and
- Documentation of responsive action taken in connection with a security breach.
When Personal Information is electronically stored or transmitted, to the extent technically feasible, the WISP must also contain:
- Secure user authentication protocols;
- Secure access control measures;
- Encryption of all portable devices containing Personal Information and of all Personal Information transmitted across public networks or wirelessly;
- Updated firewalls and anti-virus programs on computers connected to the internet;
- Employee training; and
- Reasonable monitoring of computer systems.
With the deadline fast approaching, a good starting point is to identify a team of individuals from human resources, technology, senior management and legal to prepare the WISP. The team should conduct an audit of what Personal Information is maintained (employees and customers), who has access to it, and where it is located. Due diligence should be conducted on vendors who have access to Personal Information maintained by the business. The team should identify reliable technology consultants who can assess the computer security needs of the business. The team should also identify reputable vendors with experience in proper destruction of records containing Personal Information.
After assembly of this information, the team should develop and implement the WISP. All employees should receive a copy of the WISP and be trained on the importance of the security of Personal Information. Businesses should take reasonable steps to select and retain reputable third party service providers that are capable of maintaining appropriate security measures. Any written contracts with third party service providers entered into after March 1, 2010 must contain a provision regarding compliance with the regulations.
Security Breaches Notification Law
Effective October 31, 2007, Chapter 93H requires any person, defined to include a business, who owns or licenses Personal Information to notify the affected Massachusetts resident, OCABR and the Attorney General when it knows or has reason to know of a breach of security or that Personal Information was acquired or used by an unauthorized person or used for an unauthorized purpose. Chapter 93H establishes specific requirements for when and how notice must be given and what Massachusetts residents are to be told concerning a security breach. The Attorney General has authority to bring a civil action for violations of the security breach notification law and to recover a civil penalty of up to $5,000 per violation. Since Massachusetts is one of forty-five states that require security breach notification, an analysis of other state security breach notifications law also will be required if a breach involves personal information of residents from outside of Massachusetts.
Disposition and Destruction of Records Law
Effective February 3, 2008, Chapter 93I establishes requirements for the disposal of paper and electronic records containing Personal Information. Paper records must be redacted, burned, pulverized or shredded; electronic records must be destroyed or erased so that Personal Information cannot be practicably read or reconstructed. Violators are subject to a civil fine of up to $100 per Massachusetts resident affected (not to exceed $50,000 for each instance of improper disposal). The Attorney General may file a civil action for violation of Chapter 93I.
Failure to comply with Massachusetts laws designed to safeguard Personal Information may subject businesses to substantial civil penalties. Therefore, in preparing for the March 1, 2010 deadline, businesses should consult with legal counsel in developing and implementing a WISP. When dealing with a breach of security, businesses should consult with legal counsel in order to satisfy the notice obligations under Chapter 93H and other applicable state laws. Upon receipt of such a notice, the Attorney General may seek information regarding a business’s WISP and disposal of Personal Information.