On Friday, June 5, 2009, Suffolk University Law School’s Center for Advanced Legal Studies organized a thorough presentation on the Massachusetts information security rules. These presentations were led by a pair of notable Massachusetts regulators: Scott D. Schafer, the head of privacy enforcement for the Massachusetts Attorney General and David A. Murray, the chief architect of the Massachusetts identity theft regulations for the Officer of Consumer Affairs and Business Regulation (OCABR).
These men provided useful recommendations on a number of compliance issues, including when a business should be notifying customers about a security breach, how to ensure that personal information is disposed of properly, and what businesses should be doing to comply with the new information security standards. Read on for the highlights from these presentations.
Scott D. Schafer is the Chief of the Consumer Protection Division of the Massachusetts Attorney General, the division charged with enforcing the laws and rules governing breach notification and information security programs. Here are some of the highlights from his presentation:
- Mr. Schafer confirmed that he is the one that reads and responds to notification letters directed to the Attorney General. (Having spoken with Mr. Schafer on the eve of filing such letters, I find it useful to copy him on the notification letter itself.) He underscored that businesses should give him as much advance notice as possible when making a breach notification to help his office prepare to field calls from consumers.
- When discussing ch. 93H, the Massachusetts law requiring notification when there is a security breach, Mr. Schafer indicated that “[e]ssentially it applies to everyone.”
- A “security breach” under Massachusetts law does not need to involve “personal information” if there is a substantial risk of harm. In other words, a security breach that does not disclose a person’s Social Security number or bank account number, may need to be reported if it creates a real risk to consumers.
- Encrypting personal information does not excuse a company from the notification requirement. Massachusetts law requires notification whenever personal information is acquired by unauthorized individuals. There is no exception when the personal information lost was encrypted.
- Massachusetts law requires notification to occur “as soon as practicable and without unreasonable delay.” Several months is generally unreasonable, but “a week or two” is generally warranted when necessary to investigate and provide consumers with accurate information.
- When there has been a breach, credit monitoring is not required by Massachusetts law, but it is good practice.
- In a notification letter, the Office of the Attorney General looks for a description of what the company is doing to make sure this sort of breach will never happen again.
- If a hacked has successfully penetrated a company’s security it may not be possible to determine whether the hacker accessed personal information. In such cases, it is good practice to make a ch. 93H notification.
- If you send personal information by mail / FedEx / UPS and the package is misdelivered or lost, it is good practice to make a ch. 93H notification (unless the package is promptly recovered unopened).
- In making a notification, businesses should remember to include information on a resident’s right to obtain a police report. Also, be aware of the differences between a “security freeze” and a “credit alert.” Notification letters often confuse the two tools which makes it more difficult for consumers.
- With respect to the Massachusetts law requiring secure destruction of documents containing personal information, ch. 93I, Mr. Schafer indicated that the key is to make sure that the information cannot be “read or reconstructed.”
- Businesses can use third party vendors to securely destroy personal information, but it is recommended that they obtain written assurances that the vendor is complying with ch.93I.
- Enforcement of Massachusetts information security laws and regulations is already taking place. The Attorney General typically seeks injunctions to force compliance, as well as a range of monetary damages, including attorneys fees. Mr. Schafer’s office is not engaging in “gotcha” litigation, but is attempting to correct dangerous or harmful practices.
David A. Murray is General Counsel to OCABR, the agency that drafted the new Massachusetts identity theft regulations that require many businesses to adopt comprehensive, written information security programs. He provided an overview of these regulations, primarily directing his presentation from the OCABR compliance checklist (.pdf). Here are some highlights:
- The Massachusetts identity theft regulations are “currently in force,” even though the date for compliance and enforcement is January 1, 2010. In the view of OCABR, all affected businesses and organizations have a duty to to be taking steps now to comply with these regulations.
- The regulations are a minimum standard necessary to effect the goal of the Massachusetts legislation: to “safeguard” the personal information of Massachusetts residents. In OCABR’s view, the regulations are a good balance between consumer protection and burdening businesses.
- In drafting the Massachusetts regulations, regulators reviewed and borroed from the standards set by the federal Gramm Leach Bliley Act (GLBA), HIPAA and other state regulations, including California, New Jersey, Rhode Island and Nevada.
- The purpose of the regulations is to “apply special protections to certain kinds of information.” The first step is to Businesses should know where personal information is stored. “In our experience, most companies know, generally, where it resides.”
- Training on information security is mandatory. OCABR “needs to change the way businesses operate.” We “need to change the culture of thinking of data security as a static, one time event.” The regulations specifically require that busineses treat information security as a “dynamic system.”
- “Access to personal information should be on a ‘need to know’ basis. Everyone should not have access to it.”
- A business “cannot avoid liability by handing over its personal information to a third party vendor.” The regulations require that the business taken “all reasonable” steps to ensure that any third party providers are complying with the new regulations.
- If a business provides personal information to a third party vendor and the vendor suffers a breach, the business “should be fine” if it has complied with its due dilingence requirements.
Mr. Murray did take a few questions, but declined to respond to a number of them on the grounds that his office, OCABR, is not the agency charged with enforcement and is therefore not in a position to comment on what would be considered a violation of the regulations. While OCABR drafted the regulations, the Office of the Attorney General is charged with enforcing them. Of course, by the time these questions emerged, Mr. Schafer and his colleagues from the enforcement side had exited, leaving us to speculate on wonder how the Attorney General will be enforcing the the new identity theft regulations.
I found this information very beneficial but am left wondering about two specific items.
1) What would consitute substantial “risk of harm” if the breach involved information other than PII? Is there any clarification on the type of information defined as a baseline for “risk of harm”?
2) I was under the impression that encryption of PII negated the requirement to notify the Attorney General/OCABR? The note above would seem to indicate notification is required regardless of the encryption status of the information?
Chris, thanks for your comments and questions.
With respect to your question about the “risk of harm” — ch. 93H expressly requires “a substantial risk of identity theft or fraud” before an incident becomes a “breach of security” that must be reported. There has not been a great deal of guidance on this issue, but that may be a result of the fact that there are a lot of possible ways to breach security. For example, what if a disgruntled employee steals a username and password to a company’s on-line customer database? This may be a “breach of security,” even though the information stolen was not “personal information.”
A “substantial risk of identity theft or fraud” may not be present in every incident. For example, an individual that takes a company computer without permission may be a thief planning on stealing customer credit card data or he may have been hired to move the company’s accounting department to new offices and grabbed the wrong computer. Arguably, the risk of identity theft is much lower in the latter example and may not present a substantial risk of identity theft.
Your second question is a good one that goes right to the heart of Mr. Schafer’s comment on encryption. Section 3 of the statute (MGL ch. 93H) requires notification under two circumstances: (1) when there has been a “breach of security;” and (2) when there has been nothing more than an unauthorized acquisition or use of personal information. While the loss of encrypted data is not a breach of security (unless the encryption key is also lost), the second prong of the statute (unauthorized acquisition) appear to apply notwithstanding the fact that the data may have been encrypted. This bizarre ambiguity is a “feature” of the Massachusetts law that has not been explained clearly. We may have to wait for a court to interpret this section before the ambiguity is resolved.
Mr. Schafer’s comments suggest that the Attorney General is aware that the statute is relatively broad and is encouraging businesses to report potential breaches more frequently, even if it means notifying residents when encrypted information has been lost.