On Friday, June 5, 2009, Suffolk University Law School’s Center for Advanced Legal Studies organized a thorough presentation on the Massachusetts information security rules. These presentations were led by a pair of notable Massachusetts regulators: Scott D. Schafer, the head of privacy enforcement for the Massachusetts Attorney General and David A. Murray, the chief architect of the Massachusetts identity theft regulations for the Officer of Consumer Affairs and Business Regulation (OCABR).
These men provided useful recommendations on a number of compliance issues, including when a business should be notifying customers about a security breach, how to ensure that personal information is disposed of properly, and what businesses should be doing to comply with the new information security standards. Read on for the highlights from these presentations.
Scott D. Schafer is the Chief of the Consumer Protection Division of the Massachusetts Attorney General, the division charged with enforcing the laws and rules governing breach notification and information security programs. Here are some of the highlights from his presentation:
- Mr. Schafer confirmed that he is the one that reads and responds to notification letters directed to the Attorney General. (Having spoken with Mr. Schafer on the eve of filing such letters, I find it useful to copy him on the notification letter itself.) He underscored that businesses should give him as much advance notice as possible when making a breach notification to help his office prepare to field calls from consumers.
- When discussing ch. 93H, the Massachusetts law requiring notification when there is a security breach, Mr. Schafer indicated that “[e]ssentially it applies to everyone.”
- A “security breach” under Massachusetts law does not need to involve “personal information” if there is a substantial risk of harm. In other words, a security breach that does not disclose a person’s Social Security number or bank account number, may need to be reported if it creates a real risk to consumers.
- Encrypting personal information does not excuse a company from the notification requirement. Massachusetts law requires notification whenever personal information is acquired by unauthorized individuals. There is no exception when the personal information lost was encrypted.
- Massachusetts law requires notification to occur “as soon as practicable and without unreasonable delay.” Several months is generally unreasonable, but “a week or two” is generally warranted when necessary to investigate and provide consumers with accurate information.
- When there has been a breach, credit monitoring is not required by Massachusetts law, but it is good practice.
- In a notification letter, the Office of the Attorney General looks for a description of what the company is doing to make sure this sort of breach will never happen again.
- If a hacked has successfully penetrated a company’s security it may not be possible to determine whether the hacker accessed personal information. In such cases, it is good practice to make a ch. 93H notification.
- If you send personal information by mail / FedEx / UPS and the package is misdelivered or lost, it is good practice to make a ch. 93H notification (unless the package is promptly recovered unopened).
- In making a notification, businesses should remember to include information on a resident’s right to obtain a police report. Also, be aware of the differences between a “security freeze” and a “credit alert.” Notification letters often confuse the two tools which makes it more difficult for consumers.
- With respect to the Massachusetts law requiring secure destruction of documents containing personal information, ch. 93I, Mr. Schafer indicated that the key is to make sure that the information cannot be “read or reconstructed.”
- Businesses can use third party vendors to securely destroy personal information, but it is recommended that they obtain written assurances that the vendor is complying with ch.93I.
- Enforcement of Massachusetts information security laws and regulations is already taking place. The Attorney General typically seeks injunctions to force compliance, as well as a range of monetary damages, including attorneys fees. Mr. Schafer’s office is not engaging in “gotcha” litigation, but is attempting to correct dangerous or harmful practices.
David A. Murray is General Counsel to OCABR, the agency that drafted the new Massachusetts identity theft regulations that require many businesses to adopt comprehensive, written information security programs. He provided an overview of these regulations, primarily directing his presentation from the OCABR compliance checklist (.pdf). Here are some highlights:
- The Massachusetts identity theft regulations are “currently in force,” even though the date for compliance and enforcement is January 1, 2010. In the view of OCABR, all affected businesses and organizations have a duty to to be taking steps now to comply with these regulations.
- The regulations are a minimum standard necessary to effect the goal of the Massachusetts legislation: to “safeguard” the personal information of Massachusetts residents. In OCABR’s view, the regulations are a good balance between consumer protection and burdening businesses.
- In drafting the Massachusetts regulations, regulators reviewed and borroed from the standards set by the federal Gramm Leach Bliley Act (GLBA), HIPAA and other state regulations, including California, New Jersey, Rhode Island and Nevada.
- The purpose of the regulations is to “apply special protections to certain kinds of information.” The first step is to Businesses should know where personal information is stored. “In our experience, most companies know, generally, where it resides.”
- Training on information security is mandatory. OCABR “needs to change the way businesses operate.” We “need to change the culture of thinking of data security as a static, one time event.” The regulations specifically require that busineses treat information security as a “dynamic system.”
- “Access to personal information should be on a ‘need to know’ basis. Everyone should not have access to it.”
- A business “cannot avoid liability by handing over its personal information to a third party vendor.” The regulations require that the business taken “all reasonable” steps to ensure that any third party providers are complying with the new regulations.
- If a business provides personal information to a third party vendor and the vendor suffers a breach, the business “should be fine” if it has complied with its due dilingence requirements.
Mr. Murray did take a few questions, but declined to respond to a number of them on the grounds that his office, OCABR, is not the agency charged with enforcement and is therefore not in a position to comment on what would be considered a violation of the regulations. While OCABR drafted the regulations, the Office of the Attorney General is charged with enforcing them. Of course, by the time these questions emerged, Mr. Schafer and his colleagues from the enforcement side had exited, leaving us to speculate on wonder how the Attorney General will be enforcing the the new identity theft regulations.