The deadline for compliance with a key requirement of the Massachusetts Data Security Regulations is here. By March 1, contracts must require that certain service providers implement and maintain appropriate security measures to protect personal information.
The requirement pertains to entities — and the service providers they retain — that “own or license” Massachusetts residents’ “personal information.” Because the regulations contain such broad definitions for those terms, most service providers — from your payroll vendor and benefit plan administrator to your e-commerce hosting provider — are likely subject to the requirement, regardless of their location.
To “own or license” personal information, an entity must receive, store, maintain, process or otherwise have access to personal information of Massachusetts residents in connection with the provision of goods and services or in connection with employment.
“Personal information” is defined by the regulations as a Massachusetts resident’s name, in connection with any of the following: Social Security number; driver’s license number or state-issued identification card number; or financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.
The regulations require entities that own or license personal information of Massachusetts residents to oversee service providers by taking reasonable steps to select and retain providers that are capable of maintaining appropriate security measures to protect personal information.
Contracts with service providers entered into after the effective date of the regulations have been and continue to be required to contain a representation of compliance. However, to ease the burden on entities with already-existing service provider contracts, the regulations include a transition period for contracts that pre-date the March 1 effective date.
Specifically, any service provider contract entered into before March 1, 2010, is deemed to be in compliance, even without an express contractual provision, as long as it is updated by March 1, 2012.
Entities that own or license personal information of Massachusetts residents bear the burden of ensuring that their service providers are in compliance.
As such, consider whether your client relies on service providers to receive, store, maintain or process personal information of residents, or whether your client otherwise gives service providers access to such information.
If they do, now is the time to ensure that those service provider contracts contain a representation that appropriate safeguards are maintained to protect personal information.
To satisfy the due diligence requirement set forth in the regs, consider asking for a copy of the service provider’s Written Information Security Program, or WISP. All entities that own or license personal information of Massachusetts residents are required to develop, implement and maintain a WISP, which sets forth administrative, technical and physical safeguards to protect personal information.
The regulations encourage a risk-based analysis, where the WISP is appropriate to the size, scope and type of business of the person obligated to safeguard the personal information; the amount of resources available to that entity; the amount of stored data; and the need for security and confidentiality of both consumer and employee information.
In addition to ensuring that your client’s service providers are in compliance with the regs, it is important to ensure that your client is also in compliance. Entities that own or license personal information must take steps to protect the storage and transmittal of the information, requiring, among other things, “to the extent technically feasible,” the encryption of the information when it is being stored electronically on portable devices such as laptops or hand-held devices, or electronically transmitted over a public network like the Internet.
In fact, Attorney General Martha Coakley has made it clear that having a WISP is not enough for compliance.
Last July, her office settled with Belmont Savings Bank, which agreed to pay a civil penalty of $7,500 and to institute new security and training procedures following a breach in which an employee left a computer backup tape on a desk overnight, rather than in a storage vault.
A surveillance camera showed that the tape inadvertently was discarded by the evening cleaning crew and, according to the Attorney General’s Office, was likely incinerated by the bank’s waste disposal company.
While there was no evidence indicating that any customers’ personal information was acquired or used by an unauthorized person, or used for an unauthorized purpose, the settlement agreement states that if actual harm to customers results, the AG’s Office will reopen discussions in order to determine appropriate restitution.
It was the first settlement related to a violation of the regulations. While the AG’s Office entered into a consent agreement with a restaurant chain in April 2011 for data security failures, resulting in a payment of $110,000, that alleged breach occurred before the regs went into effect on March 1, 2010.
Importantly, Belmont Savings Bank did have a WISP in place at the time of the breach. Despite that, the settlement agreement requires the bank to comply with the regulations in all respects.
Indeed, Coakley noted that consumers “expect businesses to not only develop policies and procedures to safeguard their sensitive personal information, but to follow these procedures as well. Our office will continue to take action against companies that fail to follow protocol to protect the information entrusted to them by customers.”
When evaluating how the regulations impact your client, it may be useful to consider the following:
• Determine whether your client has Massachusetts residents as customers or employees.
• Determine who will be responsible for implementing and maintaining security policies and programs.
• Determine who should have access to personal information (and who can be excluded from access).
• Identify the paper, electronic, computing systems and portable devices that contain personal information.
• Consider appropriate measures to protect your client’s personal information, in light of your client’s size, scope and type of business, resources, amount of personal information and need.
• Determine whether your client provides any personal information to others (such as accountants, lenders, or other vendors or service providers).
• Ensure that there are up-to-date firewall and other network protections, as well as data encryption capabilities (including on all portable devices).
Other federal laws and regulations address, in part, obligations with respect to personal information, and other states besides Massachusetts have enacted laws and regs both with respect to protecting information, requiring service providers to do the same, and reporting potential data security breaches.
Your client may already have adopted some form of information security program. In light of the regulations — the most stringent in the country — it is important that you review the security policies and procedures closely and make any necessary adjustments to ensure compliance.