The Massachusetts Office of Consumer Affairs and Business Regulation has issued final data security regulations pursuant to the comprehensive data security law signed by Governor Deval Patrick on August 3, 2007. The regulations establish minimum standards for protecting and storing personal information about Massachusetts residents contained in paper or electronic format. The regulations apply to any businesses or individuals that own, license, store or maintain personal information about a Massachusetts resident. Therefore, they may even cover businesses or individuals having no presence in Massachusetts, as long as these entities possess the personal information of any Massachusetts resident. The regulations become effective on January 1, 2009.

General Requirements. Covered persons and entities must develop, implement, maintain and monitor a comprehensive information security program applicable to any records containing personal information.  The program must:

(i) be in writing,
(ii) be reasonably consistent with industry standards, and
(iii) include administrative, technical, and physical safeguards.

Thus, addressing the data security requirement solely from an IT perspective will be insufficient to comply with these regulations.

While certain safeguards may be necessary and appropriate for any comprehensive program, the regulations list safeguards that must be a part of any comprehensive information security program. Covered persons or entities must:

• Designate one or more employees to maintain the program.
• Conduct risk assessments to gauge risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information. This must be followed by evaluating and improving the effectiveness of safeguards. The regulations include temporary and contract employees in the training requirements.
• Develop security policies concerning whether and how employees should be allowed to keep, access and transport records containing personal information outside of business premises.
• Discipline employees for program violations.
• Ensure terminated employees no longer have access to personal information.
• Verify through reasonable efforts that outside vendors with access to personal information have the capacity to protect that information. The regulations require that before providing a vendor access to personal information, the covered person or entity must obtain a written certification that the vendor has a compliant comprehensive information security program.
• Collect, retain and provide access to personal information only to the extent it is reasonably necessary to accomplish the legitimate purpose for which it is collected, retained or accessed, or as is necessary to comply with state or federal record retention requirements.
• Unless a covered person or entity protects all records under a comprehensive information security program as if they contain personal information, it must identifying paper, electronic and other records, computing systems, and storage media that contain personal information.
• Impose reasonable restrictions on physical access to records containing personal information, including a written procedure that sets forth the manner in which physical access to such records is restricted.
• Monitor the program to ensure it is operating as intended and make adjustments as necessary and appropriate.
• Assess the scope of the entity’s safeguards at least once a year or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
• Document steps taken to respond to a security breach and any changes in safeguards resulting from a review of the breach incident.

Specific Program Requirements for Electronically Stored or Transmitted Personal Information. Every covered person or entity that electronically stores or transmits personal information also must establish and maintain a security system covering its computers, including any wireless systems. The security system must be a part of the written, comprehensive information security program. Among other things, the system must implement protocols to authenticate users and restrict access. To the extent feasible, records containing personal information that is transmitted across public networks and wirelessly must be encrypted. All personal information stored on laptops and portable devices must be encrypted.

Complete and Timely Compliance. The regulations seem to contemplate and permit covered persons or entities to design an information security program that is appropriate to their particular circumstances. That is, when evaluating whether a particular program complies with the Massachusetts data security regulations, the following may be taken into account:

• size, scope and type of business obligated to safeguard the personal information,
• resources available to the person or entity,
• amount of stored data, and
• need for security and confidentiality of both consumer and employee information.

The January 1, 2009, effective date imposes a short time frame for businesses to become compliant, particularly those that have significant amounts of personal information internally or maintained by vendors. While this measure may be good news for Massachusetts residents, the law significantly increases covered entities’ obligations to safeguard personal information and their exposure for a failure to do so. These regulations follow a nationwide trend — a number of other states, including California, Texas, New York, Oregon, and Maryland, have enacted similar measures. State regulations and the vast amount of employee and other personal information businesses own and maintain compel the need to develop comprehensive data security programs. Jackson Lewis attorneys are available to answer your questions about these new regulations and assist in developing your data security program.