Employers Face Stricter Compliance Requirements Under Recent Amendments To Massachusetts Data Protection Law
Earlier this year, Governor Charlie Baker signed into law a measure amending the Massachusetts Data Protection Law (the "MDPL"). The amendments to the MDPL, which went into effect in April, affect every organization that licenses or owns "personal information" of Massachusetts residents, regardless of whether or not an organization has a physical presence in the Commonwealth.
In particular, the amendments (i) expand the scope of the actions that organizations must take in the event of a data breach, and (ii) clarify the responsibilities that organizations have to individuals whose personal information has been compromised through a data breach. Covered entities should review these changes and update their policies and practices to ensure that they are in compliance with the MDPL and are prepared to respond swiftly and fully to any data breach.
The Massachusetts Data Protection Law
In response to several high profile data breaches that compromised personal information of consumers in the early 2000s, Massachusetts instituted what was widely hailed as the country's most comprehensive data protection law. The MDPL and its implementing regulations went into effect on March 1, 2010.
Under the MDPL, any natural person or entity (excluding the state government and any natural person not engaged in commerce) that owns or licenses personal information of a Massachusetts resident is required to take certain measures to protect that information. The MDPL defines "personal information" as "a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account." Information falling within these parameters qualifies as personal information regardless of whether it is stored electronically or on physical documents.
Specifically, the MDPL requires each owner or licensor of personal information to develop and implement a Written Information Security Program ("WISP"), detailing various procedures related to the collection, protection, and transmission of personal information. For instance, a WISP must (i) describe the procedures the organization will follow in the event of a security breach, and (ii) set standards for vetting third-party service providers with access to personal information to ensure that they will comply with the MDPL.
Further, the MDPL specifies how organizations must respond to a data breach involving personal information. A data breach is defined as a "breach of security, the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth."
As originally enacted in 2010, the MDPL required that an individual or entity owning or licensing personal information of a Massachusetts resident provide written notice "as soon as practicable and without unreasonable delay" when the individual or entity knows, or has reason to know of a data security breach, or that such personal information has been acquired or used by an unauthorized person or used for an unauthorized purpose. Notice must be sent to: (1) the Massachusetts Attorney General's Office ("AGO"); (2) the Director of the Office of Consumer Affairs and Business Regulation ("OCABR"); and (3) the affected Massachusetts resident.
Failure to comply with the MDPL can subject violators to enforcement actions by the Attorney General's Office, which may result in civil penalties, damages, and injunctive relief.
The recent amendments to the MDPL strengthen these requirements. In particular, the statute now provides that notice to a Massachusetts resident of a data breach "shall not be delayed on grounds that the total number of residents affected is not yet ascertained." Additionally, in the case of a data breach involving an individual's Social Security number, the organization must offer to provide 18 months of free credit monitoring services.
Further, entities experiencing data breaches must now provide more detailed reports to the AGO and OCABR. Such reports must now include: (a) the name and address of the breached entity; (b) the name of the entity reporting the breach, and its relationship to the breached entity; (c) the type of entity reporting the breach; (d) the individual(s) responsible for the breach (if known); (e) the type of personal information involved; (f) whether the breached entity has a WISP; and (g) any steps that have been taken, or will be taken, in response to the breach.
Implications And Recommendations
The recent amendments to the MDPL signal a renewed commitment on the part of the Commonwealth to protecting its citizens' personal information. As a result, all organizations that own or license personal information of Massachusetts residents - whether or not they have a physical presence in the Commonwealth - need to ensure that they are aware of their legal obligations and respond appropriately to any data security breach.
As a first step to remaining (or becoming) compliant, an organization should carry out an audit of the information it processes or possesses to determine whether it licenses or owns "personal information" of Massachusetts residents. Entities that do so are required, under the MDPL, to have a WISP, so any organization covered by the MDPL that does not already have a WISP in place should develop and implement one as soon as practicable. Organizations that already have WISPs in place should review and revise these documents as necessary to ensure that they are compliant with the new mandates and consistent with their current practices.
Another key takeaway from the recent amendments to the MDPL is that organizations must not delay in investigating and responding to data breaches. Once an organization determines that a Massachusetts resident's personal information has been compromised, it must inform that individual "as soon as practicable and without unreasonable delay." Complying with this requirement will often mean that reports must be made before the organization has a full understanding of the extent of the breach or how many individuals have been affected.
Organizations should also be aware that every other U.S. state has adopted its own standards regarding the protection of personal information, as well as protocols that organizations must follow in the event of a breach. In the case of a breach involving the personal information of residents of multiple states, the organization will likely have to comply with numerous, state-specific reporting obligations.
* * *
If you have questions about the recent amendments to the MDPL or about data security in general, or if you would like assistance in creating or updating your organization's WISP, please feel free to contact us.