Massachusetts Regulators Finalizing Information Security Regulations, Keep March 1, 2010 Deadline

Posted on November 2, 2009 by Gabriel M. Helmer

According to BNA reporter Martha Kessler, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has filed its final information security regulations and will be making them public this week.  BNA has released what they claim to be the final regulations (.pdf) [also available from BNA here (html)].  The final rules appear to have been tweaked only slightly from the draft regulations issued on August 17, 2009.  In a redline comparison (.pdf) against the last draft, two primary revisions emerge:

  1. Entities affected by the regulations have been expanded to include businesses and individuals that merely store personal information; and
     
  2. A clarification was made to the provision requiring affected businesses to negotiate written contracts with service providers that handle personal information.  The tweaks make clear that the grandfather provision that permits companies to rely on service provider contracts already in place will expire on March 1, 2012.

The March 1, 2010 deadline remains unchanged. 

While the final regulations have not been posted to the OCABR website, many are eagerly awaiting to see if the OCABR also provides additional guidance on how to comply, as Undersecretary Anthony promised at the public hearing on these regulations in September.

UPDATE: On Wednesday, November 4th, the OCABR released the final Massachusetts information security regulations (.pdf) to the public, as predicted.  In its new release, the OCABR also announced the publication of its report on consumer data breaches between 2007 and 2009 (.pdf).  The report indicates that since the Massachusetts data breach notification law (M.G.L. ch. 93H) went into effect in 2007, over 1 million Massachusetts residents have been affected by a noticed breach.  Among the many practices mentioned in the report, the OCABR has warned against: (1) "poor employee handling;" (2) documents sent to the wrong recipient; and (3) not  taking steps to prevent access by terminated employees.

Tags: , , , , , ,

Still Wondering What Changes Massachusetts Made to the State's Information Security Regulations? Here's a Redline of the Revisions to 201 CMR 17.00.

Posted on September 1, 2009 by Gabriel M. Helmer

 As we reported on August 17th, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has promulgated a revised set of information security regulations (201 CMR 17.00 et seq.) and will hold a meeting for public comment on September 22, 2009.  For those who are still wondering what revisions were made, here is a redline comparison of the amendments (.pdf).

Tags: , , ,

ALERT: Massachusetts Proposes Revised Information Security Regulations, Delays Enforcement Until March 1, 2010

Posted on August 17, 2009 by Gabriel M. Helmer

Today, the Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) issued proposed amendments to the Massachusetts information security regulations, 201 CMR 17.00 to 17.05 (.doc). The highlights of the proposed regulations include the following:

  • Enforcement of the regulations is postponed until March 1, 2010. 
     
  • Businesses affected by the regulations include anyone that "receives, maintains or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment."
     
  • The written information security program required by the regulations should be appropriate to the size and scope of the business, the resources available to the business and the need for security.
     
  • The revised regulations require that businesses enter into written contracts with service providers that require that service providers to adopt appropriate security measures.  There is a grandfather provision that deems any contract entered into before March 1, 2010 to be in complaince with this aspect of the regulations.
     
  • All technical (i.e., computer, network and electronic) security measures are only required "to the extent technically feasible."  The FAQ accompanying the revised regulations has this to say about what is technically feasible: "if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used."

OCABR also issued a useful FAQ on the proposed amendments (.doc) that takes on questions such as "Do all portable devices have to be encrypted?" (Answer: no, only the ones that contain personal information) and "Must I encrypt my backup tapes?" (Answer: yes, on a going forward basis). In OCABR's press release (.doc), Undersecretary Barbara Anthony states that the amended regulations reinforce that "technical feasibility plays a role in what many businesses, especially small businesses can do to protect data."  OCABR will hold a public hearing on the proposed rules at 10:00 a.m. on September 22, 2009 (see OCABR's notice of public hearing (.pdf)).

These regulations ignited a storm of controversy begining in late 2008 and the deadline has been progressively postponed from January 1, 2009, to May 1, 2009, then to January 1, 2010, and finally to March 1, 2010.  In May,  Massachusetts State Senate Chairman Michael Morrissey criticized the regulations as "beyond [the law's] intent" at a public hearing on proposed Senate Bill 173 (.pdf), a bill to substantially revise the Massachusetts law and scale back OCABR's onerous information security regulations.  Progress on the bill stalled when newly-appointed OCABR Undersecretary Anthony agreed to issue amended regulations to bring the regulations closer to the legislative intent and respond to the concerns voiced by the small business community.

Tags: , , , ,

Massachusetts Regulators Present on New Information Security Rules - June 5, 2009, Suffolk University Law School

Posted on June 9, 2009 by Gabriel M. Helmer

On Friday, June 5, 2009, Suffolk University Law School's Center for Advanced Legal Studies organized a thorough presentation on the Massachusetts information security rules.  These presentations were led by  a pair of notable Massachusetts regulators: Scott D. Schafer, the head of privacy enforcement for the Massachusetts Attorney General and David A. Murray, the chief architect of the Massachusetts identity theft regulations for the Officer of Consumer Affairs and Business Regulation (OCABR). 

These men provided useful recommendations on a number of compliance issues, including when a business should be notifying customers about a security breach, how to ensure that personal information is disposed of properly, and what businesses should be doing to comply with the new information security standards.  Read on for the highlights from these presentations.

Scott D. Schafer is the Chief of the Consumer Protection Division of the Massachusetts Attorney General, the division charged with enforcing the laws and rules governing breach notification and information security programs.  Here are some of the highlights from his presentation:

  • Mr. Schafer confirmed that he is the one that reads and responds to notification letters directed to the Attorney General.  (Having spoken with Mr. Schafer on the eve of filing such letters, I find it useful to copy him on the notification letter itself.)  He underscored that businesses should give him as much advance notice as possible when making a breach notification to help his office prepare to field calls from consumers.
     
  • When discussing ch. 93H, the Massachusetts law requiring notification when there is a security breach, Mr. Schafer indicated that "[e]ssentially it applies to everyone." 
     
  • A "security breach" under Massachusetts law does not need to involve "personal information" if there is a substantial risk of harm.  In other words, a security breach that does not disclose a person's Social Security number or bank account number, may need to be reported if it creates a real risk to consumers.
     
  • Encrypting personal information does not excuse a company from the notification requirement.  Massachusetts law requires notification whenever personal information is acquired by unauthorized individuals.  There is no exception when the personal information lost was encrypted.
     
  • Massachusetts law requires notification to occur "as soon as practicable and without unreasonable delay."  Several months is generally unreasonable, but "a week or two" is generally warranted when necessary to investigate and provide consumers with accurate information.
     
  • When there has been a breach, credit monitoring is not required by Massachusetts law, but it is good practice.
     
  • In a notification letter, the Office of the Attorney General looks for a description of what the company is doing to make sure this sort of breach will never happen again.
     
  • If a hacked has successfully penetrated a company's security it may not be possible to determine whether the hacker accessed personal information.  In such cases, it is good practice to make a ch. 93H notification.
     
  • If you send personal information by mail / FedEx / UPS and the package is misdelivered or lost, it is good practice to make a ch. 93H notification (unless the package is promptly recovered unopened).
     
  • In making a notification, businesses should remember to include information on a resident's right to obtain a police report.  Also, be aware of the differences between a "security freeze" and a "credit alert."  Notification letters often confuse the two tools which makes it more difficult for consumers.
     
  • With respect to the Massachusetts law requiring secure destruction of documents containing personal information, ch. 93I, Mr. Schafer indicated that the key is to make sure that the information cannot be "read or reconstructed." 
     
  • Businesses can use third party vendors to securely destroy personal information, but it is recommended that they obtain written assurances that the vendor is complying with ch.93I.
     
  • Enforcement of Massachusetts information security laws and regulations is already taking place.  The Attorney General typically seeks injunctions to force compliance, as well as a range of monetary damages, including attorneys fees.  Mr. Schafer's office is not engaging in "gotcha" litigation, but is attempting to correct dangerous or harmful practices.

David A. Murray is General Counsel to OCABR, the agency that drafted the new Massachusetts identity theft regulations that require many businesses to adopt comprehensive, written information security programs.  He provided an overview of these regulations, primarily directing his presentation from the OCABR compliance checklist (.pdf).  Here are some highlights:

  • The Massachusetts identity theft regulations are "currently in force," even though the date for compliance and enforcement is January 1, 2010.  In the view of OCABR, all affected businesses and organizations have a duty to to be taking steps now to comply with these regulations.
  • The regulations are a minimum standard necessary to effect the goal of the Massachusetts legislation: to "safeguard" the personal information of Massachusetts residents.  In OCABR's view, the regulations are a good balance between consumer protection and burdening businesses.
     
  • In drafting the Massachusetts regulations, regulators reviewed and borroed from the standards set by the federal Gramm Leach Bliley Act (GLBA), HIPPA and other state regulations, including California, New Jersey, Rhode Island and Nevada. 
  • The purpose of the regulations is to "apply special protections to certain kinds of information."  The first step is to Businesses should know where personal information is stored.  "In our experience, most companies know, generally, where it resides."
  • Training on information security is mandatory.  OCABR "needs to change the way businesses operate."  We "need to change the culture of thinking of data security as a static, one time event."  The regulations specifically require that busineses treat information security as a "dynamic system."
     
  • "Access to personal information should be on a 'need to know' basis.  Everyone should not have access to it."
     
  • A business "cannot avoid liability by handing over its personal information to a third party vendor."  The regulations require that the business taken "all reasonable" steps to ensure that any third party providers are complying with the new regulations. 
  • If a business provides personal information to a third party vendor and the vendor suffers a breach, the business "should be fine" if it has complied with its due dilingence requirements.

Mr. Murray did take a few questions, but declined to respond to a number of them on the grounds that his office, OCABR, is not the agency charged with enforcement and is therefore not in a position to comment on what would be considered a violation of the regulations.  While OCABR drafted the regulations, the Office of the Attorney General is charged with enforcing them.  Of course, by the time these questions emerged, Mr. Schafer and his colleagues from the enforcement side had exited, leaving us to speculate on wonder how the Attorney General will be enforcing the the new identity theft regulations. 
Tags: , , , , , , , ,

ALERT: Massachusetts Gives Businesses Until January 1, 2010 to Adopt Information Security Programs To Comply With Recent Identity Theft Regulations

Posted on February 13, 2009 by Gabriel M. Helmer

On Thursday, February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued a public statement indicating that it is extending the May 1, 2009 deadline to comply with recent Massachusetts identity theft regulations until January 1, 2010. 

The Massachusetts identity theft regulations affect entities that own, license, store or maintain personal information, including social security numbers, state identification numbers and financial account information, about any Massachusetts residents. Under amended regulations filed Thursday, individuals and businesses covered by the regulations must evaluate existing security measures and implement written information security programs on or before January 1, 2010. 

In the OCABR press release, Daniel C. Crane, undersecretary of the OCABR, indicated that the new deadline acknowledges that many businesses are having trouble complying with the new regulations in the wake of recent economic pressures. “We understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections.” 

The new deadline makes clear that the OCABR is willing to give businesses additional time to improve information security measures, but also that regulators want all affected businesses to meet the new security standards by 2010. For most affected businesses, the new deadline does not mean they should delay their compliance efforts. Many businesses will need the additional time to analyze existing security threats and implement the necessary administrative, physical and electronic security measures. 

Links:

  • The OCABR homepage
  • The OCABR's February 12, 2009 announcement
  • The amended Massachusetts Identity Theft Regulations (17 C.M.R. 17.00-17.05) are available here (.pdf) or from the OCABR's website here (.pdf)
Tags: , , , , , , , ,

ALERT: Massachusetts Gives Businesses Until May 1, 2009 to Adopt Comprehensive Information Security Programs To Comply With Recent State Identity Theft Regulations

Posted on November 15, 2008 by Gabriel M. Helmer

In September, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued broad identity theft regulations that require virtually every business that retains information on Massachusetts residents to develop comprehensive policies and procedures to address the risk of identity theft by January 1, 2009. 

On Friday, November 14, 2008, OCABR announced that it will give businesses until May 1, 2009 to comply with the new regulations. This move parallels the October announcement by the Federal Trade Commission that it is delaying enforcement of federal identity theft regulations until the same date, May 1, 2009. 

In conjunction with the recently enacted Massachusetts identity theft statute, Mass. Gen. Laws ch. 93H, the Massachusetts identity theft regulations published as 201 CMR 17.00 set specific standards for businesses that own, license, store or maintain personal information about any Massachusetts residents. There are several key provisions in the new regulations:

  • Businesses subject to the regulations include any company, whether or not based in Massachusetts, that owns, licenses, stores or maintains “personal information” about Massachusetts residents.
  • “Personal information” is defined to include a resident’s name in combination with a Social Security number, driver’s license number, credit card or bank account information.
  • Affected businesses are required to develop, implement, maintain and monitor a comprehensive information security program that would identifying and mitigate the risks of potential identity theft.
  • Businesses are required to set limits on when employees may access, keep and transport records containing personal information outside of company offices and impose disciplinary measures on employees that violate the information security policies.
  • The regulations also specifically require that computer systems containing personal information are protected by encryption, secure user logins, firewall systems, virus and malware protection and reasonably up-to-date system software. 

The Massachusetts Attorney General is authorized to enforce these regulations, but at this stage, as with any new regulatory framework, the form and level of government enforcement is unclear. However, the new regulations direct the Attorney General to take into account the size and nature of the business, as well as the resources available to it, when assessing compliance.

2.13.2009 UPDATE: As we report in our client alert, the OCABR has filed amended regulations to extend the deadline for compliance with Massachusetts identity theft regulation to January 1, 2010.

Tags: , , , , , , , ,