Massachusetts Holds Public Hearing on Information Security Regulations -- Regulators Contemplating Additional Revisions in Final Rulemaking

Posted on September 22, 2009 by Gabriel M. Helmer

This morning, the Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) held a public hearing in connection with its promulgation of revisions to the Commonwealth's information privacy regulations, 201 CMR 17.00.  The standing-room-only crowd endured a modest, unventilated conference room in the Transportation Building to make comments on the stringent regulations.  OCABR Undersecretary Barbara Anthony led the meeting with OCABR Deputy General Counsel Jason Egan and Assistant Attorney General Diane Lawton.  The principal author of the original regulations, OCABR General Counsel David A. Murray, could also be seen in the audience.  The highlights of the hearing include:

  • Undersecretary Anthony suggested that the OCABR may make additional revisions to the regulations in issuing final rules. 
     
  • The Undersecretary admitted that the provision of the regulations governing third party service providers [201 CMR 17.03(2)(f)] "is taken essentially verbatim from the [FTC's] Safeguards Rule" that was promulgated in response to the Gramm Leach Bliley Act in 2001.  The Undersecretary indicated that while OCABR "stole it" from federal regulators at the FTC, she is aware that there may be "confusing language" in the provision and stated that the "final rules will clarify" this aspect of the regulations. 
     
  • Confronted with requests for a model information security program, additional training and other outreach efforts, Undersecretary Anthony indicated that "this is something we definitely will do."
     
  • There was no mention of any further extensions to the current compliance deadline: March 1, 2010.
     
  • The lead enforcement officer of the new regulations and Chief of the Consumer Protection Division, Scott Schafer, began the hearing with a prepared statement crediting the OCABR with successfully addressing an "important issue" and indicating the Attorney General's support for the revised regulations.  In his statement, Mr. Schafer indicated that he believes that the revised regulations provide businesses with "appropriate flexibility" while protecting consumer confidence in the security of personal information involved in commercial transactions.

Over a dozen individuals presented comments to Undersecretary Anthony.  In general, there was a broad call for additional revisions to the requirements with respect to service providers.  There was also repeated request for "practical guidance" from regulators, in the form of revisions to ambiguous elements of the new regulations, as well as model programs, explanatory guides and materials, training and presentations.  After the jump, you will find more detail from my notes on the public comments. 

 

  • Robert Kramer, of the Computing Technology Industry Association (CompTIA) opened public comments with the recommendation that the OCABR's final regulations clarify what is meant by "reasonable steps" in the context of selecting third-party service providers capable of maintaining appropriate security measures.  According to Mr. Kramer, this provision of the regulations "provides little practical guidance" to businesses on what they must do in retaining service providers.  This comment was echoed by other comments from members of CompTIA.
     
  • Jacob Braun of Waka Digital Media and a member of CompTIA praised regulators for adopting regulations "based on a flexible, risk-based assessment," but raised two concerns.  First, speaking on behalf of companies that manage and secure the data of their clients, Mr. Braun suggested that the definition of who "owns" the personal information should be clarified to focus on the "true owners" of the data and not necessarily to sweep in companies that merely help manage that data.  Second, Mr. Braun asked that the safe harbor cut-off date for contracts with third-party service providers, currently set at March 1, 2012, be clarified so it is clear whether companies in fact have a two year grace period after the 2010 deadline to comply with the new regulations. 
     
  • Tammi Salmon of the Investment Company Institute (ICI) indicated that the ICI supports adoption of the revised regulations.  She further commented that the members of the ICI support "strong protections" but oppose "prescriptive measures that dictate the means" of implementing those protections.  Also, the ICI seeks revisions to the definition of who "owns or licenses" personal information to exclude those companies that merely reveice and process personal information.  The ICI also asked regulators to limit the definition of "person" under the regulations to exclude the government agencies of other states.
     
  • Bradley A. MacDougall of the Associated Industries of Massachusetts (AIM) echoed support for the revisions to the Massachusetts regulations, which he described as "taking a significant step towards a reasonable and balanced approach."  Speaking for AIM, Mr. MacDougall did recommend greater clarity with respect to the provision requiring contracts with service providers.  In particular, MacDougall indicated that the current draft of the regulations does not indicate whether service providers themselves must agree to comply with the Massachusetts regulations, or whether less specific contract provision would comply with the requirements for service providers. [AIM's written testimony is available from AIM's website (login required)]
     
  • Anne Dougherty Johnson of Tech America commented that Tech America supports the revision to the regulations' definition of "encryption" which adds flexibility to companies' compliance.  She stated that "technology neutrality will enable companies to take advantage of new technologies." 


     
  • John Hearst of the Retailers Association of Massachusetts (RAM) indicated that he is "especially appreciative of the changes in the current version" of the regulations, but that RAM continues to believe that "if we are applying standards to private employers, we should be applying the same standard to government employers."  He also asked regulators to clarify whether the regulations could be enforced by individuals, as opposed to the Attorney General, under the the Massachusetts Consumer Protection Act, ch. 93A.  Finally, Hearst asked that regulators expand "technical feasibility" to expressly include "financial feasibility" so that companies are not required to immediately adopt expensive new security technology the moment it becomes available. 
     
  • Socheth Sor of law firm Edwards Angell Palmer & Dodge LLP spoke at the hearing and asked regulators whether the March 1, 2012 deadline to negotiate contracts with service providers was a typo or whether the OCABR was giving businesses 2 additional years to comply with the requirement that they obtain contracts with service providers.  Ms. Sor also commented that regulators need to provide additional guidance on "what encryption means" in the context of portable devices.  She suggested that the OCABR set up a telephone hotline that businesses and individuals can call for additional guidance on complying with the regulations.  "To ensure compliance, the public needs practical guidance."
     
  • Daniel J. Foley, Jr. made a statement on behalf of the Massachusetts Association of Insurance Agents (MAIA) indicating that the group believes that "protecting personal information is very important," but that there "should be a reasonable balance."  He asked that regulators hold government agencies to the same standard as it holds individuals and companies.  In addition, Foley asked the OCABR to revise the regulations to permit companies that are already in compliance with parallel federal regulations to be "deemed in compliance" with Massachusetts regulations.  He also asked that the regulations be revised to strike any requirement that companies obtain specific contractual agreements from service providers.  "Simple verification of service providers' compliance should be sufficient."  In the alternative, Foley asked that there be a special exemption granted to insurance agents so that they not be required to enter into new contracts with the insurance companies they represent.  Finally, Foley asked that the regulations expressly adopt the "risk-based approach" that is described in the OCABR FAQ released with the revised regulations.
     
  • Mary Ann Clancy, commenting on behalf of the Massachusetts Credit Union League, Inc., indicated that credit unions have been subject to "more onerous" federal regulation under the Gramm Leach Bliley Act since 2001 and voiced support for the revised regulations.
     
  • Jack Daniels, self-professed privacy advocate (and director of the National Information Security Group), spoke on his own behalf in criticizing the Massachusetts regulations as providing little real security.  "If the regulations are not substantially making us safer, they are an undue burden on small businesses."  He then itemized of list of deficiencies in the regulations, from failure to take an appropriate stance on encryption (the regulations having "eviscerated [the definition of encryption] to the point of being confused with password protection"), monitoring, and locating sensitive information ("if you don't know where it is, you can't secure it.").  Ultimately he indicated that "there is enough wiggle room [in the regulations] that there is now more burden than benefit."
     
  • MacDonnell Ulsch of Zeropoint Risk Research, LLC observed that the requirement in the Massachusetts regulations that companies adopt information security programs that are "consistent with . . . any state or federal regulation" requires clarification.  "Does this mean that companies in Massachusetts must assess all other state laws to be in compliance?  Do we need to monitor changes in all other states' laws?" 
     
  • John Murphy also raised an interesting question when he asked "Is an agent a 'third-party service provider?'"  Speaking on behalf of the American Insurance Association, he commented that forcing insurance companies to renegotiate contracts with thousands of independent insurance agents would be expensive and time-consuming.
     
  • Michael Ripple of the Providers' Council, a group of healthcare organizations, indicated his support for the risk-based approach adopted by the OCABR, but also stated that many members of the Provider's Council "don't have the money" to comply and asked that the industry be exempted from the regulations.  In the alternative, he asked that the OCABR provide "an abundance of technical assistance" to help community health organizations attempting to weather the current financial crisis.
     
  • Sarah Cortez, a network security engineer, spoke on her own behalf in support of technology neutral regulations.
     
  • Stuart Zimmerman, also representing himself, admonished regulators that pushing the compliance deadline back was having a negative affect.  "The more the date pushes back, the less serious businesses take them."  He expressed a need for "more safe harbors and models."

[Eds. Note: the conditions at the hearing were such that many comments became inaudible the moment someone sneezed or coughed, opened the door or when the HVAC engineer (and his chirping radio) came to inspect the thermostat as the temperature climbed above 80 degrees.  We are more than happy to post attendees' written comments to clarify their intended messages.]
Tags: , , , , , , , , , , , , , , , , , ,

Still Wondering What Changes Massachusetts Made to the State's Information Security Regulations? Here's a Redline of the Revisions to 201 CMR 17.00.

Posted on September 1, 2009 by Gabriel M. Helmer

 As we reported on August 17th, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has promulgated a revised set of information security regulations (201 CMR 17.00 et seq.) and will hold a meeting for public comment on September 22, 2009.  For those who are still wondering what revisions were made, here is a redline comparison of the amendments (.pdf).

Tags: , , ,

ALERT: Massachusetts Proposes Revised Information Security Regulations, Delays Enforcement Until March 1, 2010

Posted on August 17, 2009 by Gabriel M. Helmer

Today, the Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) issued proposed amendments to the Massachusetts information security regulations, 201 CMR 17.00 to 17.05 (.doc). The highlights of the proposed regulations include the following:

  • Enforcement of the regulations is postponed until March 1, 2010. 
     
  • Businesses affected by the regulations include anyone that "receives, maintains or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment."
     
  • The written information security program required by the regulations should be appropriate to the size and scope of the business, the resources available to the business and the need for security.
     
  • The revised regulations require that businesses enter into written contracts with service providers that require that service providers to adopt appropriate security measures.  There is a grandfather provision that deems any contract entered into before March 1, 2010 to be in complaince with this aspect of the regulations.
     
  • All technical (i.e., computer, network and electronic) security measures are only required "to the extent technically feasible."  The FAQ accompanying the revised regulations has this to say about what is technically feasible: "if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used."

OCABR also issued a useful FAQ on the proposed amendments (.doc) that takes on questions such as "Do all portable devices have to be encrypted?" (Answer: no, only the ones that contain personal information) and "Must I encrypt my backup tapes?" (Answer: yes, on a going forward basis). In OCABR's press release (.doc), Undersecretary Barbara Anthony states that the amended regulations reinforce that "technical feasibility plays a role in what many businesses, especially small businesses can do to protect data."  OCABR will hold a public hearing on the proposed rules at 10:00 a.m. on September 22, 2009 (see OCABR's notice of public hearing (.pdf)).

These regulations ignited a storm of controversy begining in late 2008 and the deadline has been progressively postponed from January 1, 2009, to May 1, 2009, then to January 1, 2010, and finally to March 1, 2010.  In May,  Massachusetts State Senate Chairman Michael Morrissey criticized the regulations as "beyond [the law's] intent" at a public hearing on proposed Senate Bill 173 (.pdf), a bill to substantially revise the Massachusetts law and scale back OCABR's onerous information security regulations.  Progress on the bill stalled when newly-appointed OCABR Undersecretary Anthony agreed to issue amended regulations to bring the regulations closer to the legislative intent and respond to the concerns voiced by the small business community.

Tags: , , , ,

Massachusetts Regulators Present on New Information Security Rules - June 5, 2009, Suffolk University Law School

Posted on June 9, 2009 by Gabriel M. Helmer

On Friday, June 5, 2009, Suffolk University Law School's Center for Advanced Legal Studies organized a thorough presentation on the Massachusetts information security rules.  These presentations were led by  a pair of notable Massachusetts regulators: Scott D. Schafer, the head of privacy enforcement for the Massachusetts Attorney General and David A. Murray, the chief architect of the Massachusetts identity theft regulations for the Officer of Consumer Affairs and Business Regulation (OCABR). 

These men provided useful recommendations on a number of compliance issues, including when a business should be notifying customers about a security breach, how to ensure that personal information is disposed of properly, and what businesses should be doing to comply with the new information security standards.  Read on for the highlights from these presentations.

Scott D. Schafer is the Chief of the Consumer Protection Division of the Massachusetts Attorney General, the division charged with enforcing the laws and rules governing breach notification and information security programs.  Here are some of the highlights from his presentation:

  • Mr. Schafer confirmed that he is the one that reads and responds to notification letters directed to the Attorney General.  (Having spoken with Mr. Schafer on the eve of filing such letters, I find it useful to copy him on the notification letter itself.)  He underscored that businesses should give him as much advance notice as possible when making a breach notification to help his office prepare to field calls from consumers.
     
  • When discussing ch. 93H, the Massachusetts law requiring notification when there is a security breach, Mr. Schafer indicated that "[e]ssentially it applies to everyone." 
     
  • A "security breach" under Massachusetts law does not need to involve "personal information" if there is a substantial risk of harm.  In other words, a security breach that does not disclose a person's Social Security number or bank account number, may need to be reported if it creates a real risk to consumers.
     
  • Encrypting personal information does not excuse a company from the notification requirement.  Massachusetts law requires notification whenever personal information is acquired by unauthorized individuals.  There is no exception when the personal information lost was encrypted.
     
  • Massachusetts law requires notification to occur "as soon as practicable and without unreasonable delay."  Several months is generally unreasonable, but "a week or two" is generally warranted when necessary to investigate and provide consumers with accurate information.
     
  • When there has been a breach, credit monitoring is not required by Massachusetts law, but it is good practice.
     
  • In a notification letter, the Office of the Attorney General looks for a description of what the company is doing to make sure this sort of breach will never happen again.
     
  • If a hacked has successfully penetrated a company's security it may not be possible to determine whether the hacker accessed personal information.  In such cases, it is good practice to make a ch. 93H notification.
     
  • If you send personal information by mail / FedEx / UPS and the package is misdelivered or lost, it is good practice to make a ch. 93H notification (unless the package is promptly recovered unopened).
     
  • In making a notification, businesses should remember to include information on a resident's right to obtain a police report.  Also, be aware of the differences between a "security freeze" and a "credit alert."  Notification letters often confuse the two tools which makes it more difficult for consumers.
     
  • With respect to the Massachusetts law requiring secure destruction of documents containing personal information, ch. 93I, Mr. Schafer indicated that the key is to make sure that the information cannot be "read or reconstructed." 
     
  • Businesses can use third party vendors to securely destroy personal information, but it is recommended that they obtain written assurances that the vendor is complying with ch.93I.
     
  • Enforcement of Massachusetts information security laws and regulations is already taking place.  The Attorney General typically seeks injunctions to force compliance, as well as a range of monetary damages, including attorneys fees.  Mr. Schafer's office is not engaging in "gotcha" litigation, but is attempting to correct dangerous or harmful practices.

David A. Murray is General Counsel to OCABR, the agency that drafted the new Massachusetts identity theft regulations that require many businesses to adopt comprehensive, written information security programs.  He provided an overview of these regulations, primarily directing his presentation from the OCABR compliance checklist (.pdf).  Here are some highlights:

  • The Massachusetts identity theft regulations are "currently in force," even though the date for compliance and enforcement is January 1, 2010.  In the view of OCABR, all affected businesses and organizations have a duty to to be taking steps now to comply with these regulations.
  • The regulations are a minimum standard necessary to effect the goal of the Massachusetts legislation: to "safeguard" the personal information of Massachusetts residents.  In OCABR's view, the regulations are a good balance between consumer protection and burdening businesses.
     
  • In drafting the Massachusetts regulations, regulators reviewed and borroed from the standards set by the federal Gramm Leach Bliley Act (GLBA), HIPPA and other state regulations, including California, New Jersey, Rhode Island and Nevada. 
  • The purpose of the regulations is to "apply special protections to certain kinds of information."  The first step is to Businesses should know where personal information is stored.  "In our experience, most companies know, generally, where it resides."
  • Training on information security is mandatory.  OCABR "needs to change the way businesses operate."  We "need to change the culture of thinking of data security as a static, one time event."  The regulations specifically require that busineses treat information security as a "dynamic system."
     
  • "Access to personal information should be on a 'need to know' basis.  Everyone should not have access to it."
     
  • A business "cannot avoid liability by handing over its personal information to a third party vendor."  The regulations require that the business taken "all reasonable" steps to ensure that any third party providers are complying with the new regulations. 
  • If a business provides personal information to a third party vendor and the vendor suffers a breach, the business "should be fine" if it has complied with its due dilingence requirements.

Mr. Murray did take a few questions, but declined to respond to a number of them on the grounds that his office, OCABR, is not the agency charged with enforcement and is therefore not in a position to comment on what would be considered a violation of the regulations.  While OCABR drafted the regulations, the Office of the Attorney General is charged with enforcing them.  Of course, by the time these questions emerged, Mr. Schafer and his colleagues from the enforcement side had exited, leaving us to speculate on wonder how the Attorney General will be enforcing the the new identity theft regulations. 
Tags: , , , , , , , ,