OCABR Extends Massachusetts Data-Security Law Full Compliance Deadline Until January 1, 2010
On February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) issued new regulations establishing January 1, 2010, as the new deadline by which businesses must fully comply with the new Massachusetts data-security law, Mass. Gen. L. ch. 93H (“Chapter 93H”), and its implementing regulations, 201 CMR 17.00. The OCABR extended the prior compliance deadline of May 1, 2009, because of the challenges caused by the current economic climate and businesses needing additional time to better understand what is required to protect customer data.
Significant New Obligations For Employers
Chapter 93H imposes broad information-security and computer-system-security requirements upon businesses of all sizes that maintain personal information concerning Massachusetts residents. Accordingly, even with the additional time that OCABR has provided, employers need to move swiftly to make the operational changes needed to comply.
Chapter 93H, which became effective October 31, 2007, applies to any business entity or person, whether located inside or outside Massachusetts, that owns, licenses, maintains or stores “personal information” regarding Massachusetts residents in written or electronic form. “Personal information” means a person’s first name or initial and last name in combination with his or her (a) social-security number or employer-identification number, (b) driver’s license or similar identification-card number, or (c) bank-account, credit-card or debit-card number in conjunction with any access code or password that would permit access to a financial account belonging to the person.
Employer obligations under Chapter 93H are triggered by a “breach of security.” This is an unauthorized acquisition or use of personal information regarding a Massachusetts resident that creates a substantial risk of identity theft or fraud. Upon learning of a breach of security, an employer must promptly notify each affected Massachusetts resident, the state Attorney General and OCABR. The notice must contain specific information, including how the employee can request a security freeze with respect to his or her consumer reports, and what steps the employer has taken or plans to take in response to the security breach.
The Implementing Regulations
The implementing regulations are intended to reduce the risks of data-security breaches. They seek to achieve this by imposing a wide range of obligations upon employers and other holders of personal information.
For instance, each employer will be required to implement and maintain a comprehensive written security program regarding the personal information that it holds or transmits. As part of its written security program, an employer must, among other things:
- Designate one or more specific employees to be responsible for maintaining the program;
- Provide for disciplinary measures against employees who violate the information-security program;
- Ensure that former employees are no longer permitted to access personal information maintained by the employer (e.g., by immediately terminating their access to the employer’s computer network);
- Take reasonable steps to ensure that third-party service providers who are given access to personal information have appropriate safeguards in place to prevent its unauthorized disclosure;
- Develop a written procedure that sets forth the manner in which physical access to records containing personal information is to be limited (presumably, this encompasses both computer and paper records);
- Regularly monitor and review the scope and effectiveness of its information-security program and policies; and
- Document all steps taken by the employer in response to any incident involving a breach of information security.
Similarly, with respect to its computer system, an employer must:
- Maintain secure user-authentication protocols (i.e., user ID and password procedures);
- Restrict access to records and files containing personal information to individuals whose job duties require such access;
- Encrypt, to the extent technically feasible, all files and records containing personal information that are transmitted across public networks or wirelessly;
- Monitor its computer system for unauthorized use of, or access to, personal information; and
- Encrypt all personal information stored on laptops or other portable devices, such as memory sticks, DVDs and PDAs.
The extent to which OCABR may relax these requirements for small employers is not clear. While the requirements are the same for small and large employers alike, compliance is to be evaluated with reference to the employer’s size, scope and financial resources.
A practical suggestion for employers is to accord personal information the same status as trade secrets and other confidential information. Employers should already have policies and procedures in place for ensuring the confidentiality of business plans, nonpublic financial data and the like. Similar policies and procedures must now be instituted for personal information under Chapter 93H. (Employers should, of course, review both the statute and the implementing regulations in detail, as some of their specific requirements will likely differ from employers’ current protocols for handling sensitive information.)
Given the breadth and complexity of the new requirements, outside data-management companies may begin offering services intended to bring businesses into compliance with Chapter 93H. Such services may be especially valuable for smaller employers that might find it difficult, given their personnel limitations, to carry out these tasks on their own.
Violations of Chapter 93H
Failure to comply with the new regulations may have serious consequences. Chapter 93H authorizes the Massachusetts Attorney General to remedy a violation of the statute by bringing an action under Mass. Gen. L. ch. 93A (“Chapter 93A”), which prohibits unfair and deceptive business acts and practices. Chapter 93A provides for civil penalties, awards of multiple damages and attorneys’ fees.
Further, although Chapter 93H does not refer to a private right of action, Massachusetts courts might interpret the statute to confer such a right, either by allowing an employee to sue directly under Chapter 93H or by allowing a private lawsuit under Chapter 93A based on an employer’s failure to comply with Chapter 93H. Lawsuits alleging negligence or other common-law claims by employees notified of a data breach are also anticipated.
Practical Suggestions For Employers
It will take a significant amount of work to be compliant with this new law by January 1, 2010. Employers should act now to, among other things, develop a Personal Information Security Program (“Program”) that includes the required elements of a written security program detailed above. Employers should also identify and train one or more employees to implement and manage the Program. In addition, employers must consider whether any related policies and procedures must be revised in order to comply with the Program. Finally, employers must determine whether any information technology systems require modification in order to comply with the technical requirements of the implementing regulations. Given the detailed requirements of the new data-security law, as well as the upcoming compliance deadline, employers should take such measures immediately.
* * *
Please feel free to contact us if you would like assistance in developing a Personal Information Security Program for your company, or if you have questions about Chapter 93H or its implementing regulations.