With the first anniversary of the Massachusetts Data Security Regulations, 201 CMR 17 (pdf) (“Regulations”), coming in March, the International Association of Privacy Professionals (IAPP) recently hosted a panel discussion providing direct access to the Massachusetts Attorney General's Office and the Office of Consumer Affairs and Business Regulation to discuss their investigations to date and their current approach to enforcement. Panelists included Scott Schafer, Chief of the Consumer Protection Division, Massachusetts Attorney General's Office; Shannon Choy-Seymour, Assistant Attorney General, Consumer Protection Division, Massachusetts Attorney General's Office; Jason Egan, Deputy General Counsel, Massachusetts Office of Consumer Affairs and Business Regulation; and Lam Nguyen, Director (Digital Forensics), Stroz Friedberg LLP.
Scott Schafer opened with an overview of the enforcement actions to date and the daily reviews his office conducts. Schafer noted at the outset, the Attorney General’s (AG) current enforcement approach is not audit based due to insufficient resources. However, the AG is receiving a daily average of three to four data breach notifications pursuant to Massachusetts General Laws Ch. 93H (the “Notice Law”), and each breach report is closely reviewed. According to Schafer, the AG’s Office is looking for warning signals that may indicate noncompliance with the Regulations that would trigger a detailed investigation. Some of the circumstances likely to trigger a detailed investigation include:
- The reporting entity knew of the breach, but failed to notify affected individuals as required by the Notice Law.
- A Written Information Security Plan (WISP) cannot be produced.
- The WISP is inadequate, or had significant gaps because of a lack of due diligence in the risk assessment process.
- The compromised data was stored or maintained in circumstances not compliant with the “reasonable” security required by the Regulations.
- Unfairness or deception around the purpose for which the data was originally collected.
- Collected data that was subsequently used for purposes not disclosed to consumers, or where the collection itself is not disclosed leading to unfairness or deception to Massachusetts residents.
Shannon Choy-Seymour stated that she typically will ask to review a business’ WISP if the notification of security breach submitted to the AG revealed non-compliance with the Regulations. According to Choy-Seymour, she takes into account the size and scope of the business in question and the sensitivity of the data compromised when deciding whether to ask the business to submit its WISP. The AG recognizes that achieving full compliance may be a longer process for small businesses. In particular, Choy-Seymour stated the WISP must identify who is in charge of the businesses’ information security program, demonstrate the required risk assessment to create a reasonable plan, and include employee training. Further, “reasonable” steps toward compliance with the relevant policies should be evident, and when in place can reduce the risk of enforcement actions even if full compliance has not yet been achieved.