Massachusetts Holds Public Hearing on Information Security Regulations — Regulators Contemplating Additional Revisions in Final Rulemaking

This morning, the Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) held a public hearing in connection with its promulgation of revisions to the Commonwealth’s information privacy regulations, 201 CMR 17.00.  The standing-room-only crowd endured a modest, unventilated conference room in the Transportation Building to make comments on the stringent regulations.  OCABR Undersecretary Barbara Anthony led the meeting with OCABR Deputy General Counsel Jason Egan and Assistant Attorney General Diane Lawton.  The principal author of the original regulations, OCABR General Counsel David A. Murray, could also be seen in the audience.  The highlights of the hearing include:

• Undersecretary Anthony suggested that the OCABR may make additional revisions to the regulations in issuing final rules.
• The Undersecretary admitted that the provision of the regulations governing third party service providers [201 CMR 17.03(2)(f)] “is taken essentially verbatim from the [FTC’s] Safeguards Rule” that was promulgated in response to the Gramm Leach Bliley Act in 2001.  The Undersecretary indicated that while OCABR “stole it” from federal regulators at the FTC, she is aware that there may be “confusing language” in the provision and stated that the “final rules will clarify” this aspect of the regulations.
• Confronted with requests for a model information security program, additional training and other outreach efforts, Undersecretary Anthony indicated that “this is something we definitely will do.”
• There was no mention of any further extensions to the current compliance deadline: March 1, 2010.
• The lead enforcement officer of the new regulations and Chief of the Consumer Protection Division, Scott Schafer, began the hearing with a prepared statement crediting the OCABR with successfully addressing an “important issue” and indicating the Attorney General’s support for the revised regulations.  In his statement, Mr. Schafer indicated that he believes that the revised regulations provide businesses with “appropriate flexibility” while protecting consumer confidence in the security of personal information involved in commercial transactions.

Over a dozen individuals presented comments to Undersecretary Anthony.  In general, there was a broad call for additional revisions to the requirements with respect to service providers.  There was also repeated request for “practical guidance” from regulators, in the form of revisions to ambiguous elements of the new regulations, as well as model programs, explanatory guides and materials, training and presentations.  After the jump, you will find more detail from my notes on the public comments.

• Robert Kramer, of the Computing Technology Industry Association (CompTIA) opened public comments with the recommendation that the OCABR’s final regulations clarify what is meant by “reasonable steps” in the context of selecting third-party service providers capable of maintaining appropriate security measures.  According to Mr. Kramer, this provision of the regulations “provides little practical guidance” to businesses on what they must do in retaining service providers.  This comment was echoed by other comments from members of CompTIA.
• Jacob Braun of Waka Digital Media and a member of CompTIA praised regulators for adopting regulations “based on a flexible, risk-based assessment,” but raised two concerns.  First, speaking on behalf of companies that manage and secure the data of their clients, Mr. Braun suggested that the definition of who “owns” the personal information should be clarified to focus on the “true owners” of the data and not necessarily to sweep in companies that merely help manage that data.  Second, Mr. Braun asked that the safe harbor cut-off date for contracts with third-party service providers, currently set at March 1, 2012, be clarified so it is clear whether companies in fact have a two year grace period after the 2010 deadline to comply with the new regulations.
• Tammi Salmon of the Investment Company Institute (ICI) indicated that the ICI supports adoption of the revised regulations.  She further commented that the members of the ICI support “strong protections” but oppose “prescriptive measures that dictate the means” of implementing those protections.  Also, the ICI seeks revisions to the definition of who “owns or licenses” personal information to exclude those companies that merely reveice and process personal information.  The ICI also asked regulators to limit the definition of “person” under the regulations to exclude the government agencies of other states.
• Bradley A. MacDougall of the Associated Industries of Massachusetts (AIM) echoed support for the revisions to the Massachusetts regulations, which he described as “taking a significant step towards a reasonable and balanced approach.”  Speaking for AIM, Mr. MacDougall did recommend greater clarity with respect to the provision requiring contracts with service providers.  In particular, MacDougall indicated that the current draft of the regulations does not indicate whether service providers themselves must agree to comply with the Massachusetts regulations, or whether less specific contract provision would comply with the requirements for service providers. [AIM’s written testimony is available from AIM’s website (login required)]
• Anne Dougherty Johnson of Tech Americacommented that Tech America supports the revision to the regulations’ definition of “encryption” which adds flexibility to companies’ compliance.  She stated that “technology neutrality will enable companies to take advantage of new technologies.” 
• John Hearst of the Retailers Association of Massachusetts (RAM) indicated that he is “especially appreciative of the changes in the current version” of the regulations, but that RAM continues to believe that “if we are applying standards to private employers, we should be applying the same standard to government employers.”  He also asked regulators to clarify whether the regulations could be enforced by individuals, as opposed to the Attorney General, under the the Massachusetts Consumer Protection Act, ch. 93A.  Finally, Hearst asked that regulators expand “technical feasibility” to expressly include “financial feasibility” so that companies are not required to immediately adopt expensive new security technology the moment it becomes available.
• Socheth Sor of law firm Edwards Angell Palmer & Dodge LLP spoke at the hearing and asked regulators whether the March 1, 2012 deadline to negotiate contracts with service providers was a typo or whether the OCABR was giving businesses 2 additional years to comply with the requirement that they obtain contracts with service providers.  Ms. Sor also commented that regulators need to provide additional guidance on “what encryption means” in the context of portable devices.  She suggested that the OCABR set up a telephone hotline that businesses and individuals can call for additional guidance on complying with the regulations.  “To ensure compliance, the public needs practical guidance.”
• Daniel J. Foley, Jr. made a statement on behalf of the Massachusetts Association of Insurance Agents (MAIA) indicating that the group believes that “protecting personal information is very important,” but that there “should be a reasonable balance.”  He asked that regulators hold government agencies to the same standard as it holds individuals and companies.  In addition, Foley asked the OCABR to revise the regulations to permit companies that are already in compliance with parallel federal regulations to be “deemed in compliance” with Massachusetts regulations.  He also asked that the regulations be revised to strike any requirement that companies obtain specific contractual agreements from service providers.  “Simple verification of service providers’ compliance should be sufficient.”  In the alternative, Foley asked that there be a special exemption granted to insurance agents so that they not be required to enter into new contracts with the insurance companies they represent.  Finally, Foley asked that the regulations expressly adopt the “risk-based approach” that is described in the OCABR FAQ released with the revised regulations.
• Mary Ann Clancy, commenting on behalf of the Massachusetts Credit Union League, Inc., indicated that credit unions have been subject to “more onerous” federal regulation under the Gramm Leach Bliley Act since 2001 and voiced support for the revised regulations.
• Jack Daniels, self-professed privacy advocate (and director of the National Information Security Group), spoke on his own behalf in criticizing the Massachusetts regulations as providing little real security.  “If the regulations are not substantially making us safer, they are an undue burden on small businesses.”  He then itemized of list of deficiencies in the regulations, from failure to take an appropriate stance on encryption (the regulations having “eviscerated [the definition of encryption] to the point of being confused with password protection”), monitoring, and locating sensitive information (“if you don’t know where it is, you can’t secure it.”).  Ultimately he indicated that “there is enough wiggle room [in the regulations] that there is now more burden than benefit.”
• MacDonnell Ulsch of Zeropoint Risk Research, LLC observed that the requirement in the Massachusetts regulations that companies adopt information security programs that are “consistent with . . . any state or federal regulation” requires clarification.  “Does this mean that companies in Massachusetts must assess all other state laws to be in compliance?  Do we need to monitor changes in all other states’ laws?”
• John Murphy also raised an interesting question when he asked “Is an agent a ‘third-party service provider?'”  Speaking on behalf of the American Insurance Association, he commented that forcing insurance companies to renegotiate contracts with thousands of independent insurance agents would be expensive and time-consuming.
• Michael Ripple of the Providers’ Council, a group of healthcare organizations, indicated his support for the risk-based approach adopted by the OCABR, but also stated that many members of the Provider’s Council “don’t have the money” to comply and asked that the industry be exempted from the regulations.  In the alternative, he asked that the OCABR provide “an abundance of technical assistance” to help community health organizations attempting to weather the current financial crisis.
• Sarah Cortez, a network security engineer, spoke on her own behalf in support of technology neutral regulations.
• Stuart Zimmerman, also representing himself, admonished regulators that pushing the compliance deadline back was having a negative affect.  “The more the date pushes back, the less serious businesses take them.”  He expressed a need for “more safe harbors and models.”

[Eds. Note: the conditions at the hearing were such that many comments became inaudible the moment someone sneezed or coughed, opened the door or when the HVAC engineer (and his chirping radio) came to inspect the thermostat as the temperature climbed above 80 degrees.  We are more than happy to post attendees’ written comments to clarify their intended messages.]