Massachusetts Data Security Regulations Finalized: Compliance Deadline Remains March 1, 2010
On October 30, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) filed with the Secretary of the Commonwealth final regulations implementing the Massachusetts Data Security Law (the “Final Regulations”). Significantly, the compliance deadline was not extended, as it had been in previous rounds of revisions. Accordingly, the compliance deadline remains March 1, 2010, leaving covered entities with much to do in a short time frame. The substantive amendments contained in the Final Regulations are summarized below.
The Final Regulations apply to entities that own, license, store, maintain, process or otherwise have access to records containing “personal information” of Massachusetts residents in connection with the provision of goods or services or in connection with employment. Personal information means a Massachusetts resident’s first and last name, or first initial and last name, combined with a financial account number, a credit or debit card number, a Social Security number, a driver’s license number and/or a state-issued identification number. In practice, the Final Regulations will apply to nearly all entities and individuals that employ or conduct business with Massachusetts residents, regardless of whether the entity is physically located in Massachusetts.
Under the key features of the Final Regulations, covered entities must by March 1, 2010:
(a) implement certain information technology security requirements, such as, to the extent technically feasible, using strong password and user-authentication protocols, firewalls, security system monitoring, and encryption of electronically stored or transmitted personal information, in order to protect the security of personal information;
(b) develop and implement a Comprehensive Written Information Security Program (“WISP”), i.e., a detailed policy that sets forth the covered entity’s security, technical and administrative protocols for safeguarding personal information;
(c) conduct employee training in the WISP; and
(d) contractually require third-party service providers to implement and maintain appropriate security measures to protect personal information (except with respect to preexisting contracts, which are subject to a two-year grace period, as discussed below).
The Final Regulations clarify that coverage extends not only to entities that own or license personal information but also to those that “store” personal information. Accordingly, a business that “owns and licenses” personal information is now defined as one that “receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.” The definition of “service provider” was also amended to include the term “stores,” so that a covered “service provider” is now defined as “any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation.”
The Final Regulations also clarify that the two-year grace period for contractually requiring third-party service providers to implement and maintain appropriate security measures applies only to contracts that are already in effect as of March 1, 2010. All contracts executed after the March 1, 2010 effective date must immediately satisfy this contractual requirement. In this regard, the Final Regulations state that covered entities must require “third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that until March 1, 2012, a contract a person has entered into with a third-party service provider to perform services for said person or functions on said person’s behalf satisfies the provisions of 17.03(f)(2) even if the contract does not include a requirement that the third-party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010.”
We encourage covered entities that have not yet taken steps to achieve compliance with the new Massachusetts Data Security Law to begin immediately. In this regard, the Firm has developed a data security compliance package to assist covered entities with their compliance efforts.