Massachusetts Regulators Provide Significant Insight Into Enforcement of Stringent Information Security Regulations That Are Effective as of Today (March 1, 2010)

Posted on March 1, 2010 by Privacy and Data Protection Practice Group

Touted as the most stringent information security regulations to date, Massachusetts’ requirements—applicable to both customer and employee personal information—mandate the implementation of a comprehensive written information security program. As explained in previous blog posts, the regulations require “cradle-to-grave” protections for the following categories of information about Massachusetts residents when combined with first name or initial and last name: Social Security number, driver’s license and other government-issued identification number, debit or credit card number, and financial account number. One critical question for organizations, particularly those grappling with tightened budges, is where to focus limited resources in light of the enforcement risk. Recent statements by Massachusetts regulators provide a view towards the answer.

In an interview published on February 27 in BNA’s Privacy and Security Law Report, the director of the agency that promulgated the regulations, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR), made three statements that could have an important bearing on enforcement. First, OCABR takes the position that the regulations apply even when the personal information of Massachusetts employees is stored in a centralized human resources database located at a corporate headquarters outside of Massachusetts. Second, in the director’s view, employers have virtually no excuse for failing to encrypt personal information stored on laptops. Third, although current technology does not permit encryption of personal information stored on a hand-held device, such as a Blackberry® or a Smartphone®, employers should consider other steps that will limit the risk to Massachusetts personal information if the hand-held device is lost or stolen.

During a presentation at the Massachusetts Information Security Summit on January 27, the chief of the consumer protection division for Massachusetts’ Office of the Attorney General, which will be responsible for enforcing the regulations, suggested that his office will not be conducting compliance audits. Rather, the office will select potential targets for enforcement from security breach notifications. Under Massachusetts law, such notifications must be sent to affected Massachusetts residents and to the Attorney General’s Office when unencrypted Massachusetts personal information has been acquired or used by an unauthorized person in a manner that creates a substantial risk of identity theft or fraud.

Given that the loss and theft of portable devices is one of the likeliest causes of a security breach and in light of these regulators’ recent statements, employers can substantially reduce the risk of an enforcement inquiry or action by focusing particular attention on those devices. Policies to consider include the following:

  • Prohibit employees from storing personal information on a laptop except in those limited circumstances, such as the need to work on an airplane, where the information can not be accessed through a secure, remote connection to the corporate server;
  • In the limited circumstances where employees can permissibly store personal information on a laptop, require the installation of disk-based encryption and the deletion of the personal information from the laptop when the business purpose has been accomplished;
  • Train employees not to store any personal information on a hand-held device and to immediately report the loss or theft of a hand-held device so that the company can send a “kill signal” that will delete all information from the device;
  • Train employees to save an e-mail or attachment containing personal information to the network server and permanently delete the e-mail from their e-mail inbox, thereby eliminating the ability to access those e-mails from a hand-held device; and
  • Multi-state employers should consider applying these steps to all employees, not just those located in Massachusetts. 

This entry was written by Philip L. Gordon.
 
Tags: , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Massachusetts Agency Revises Information Security Regulations -- Yet Again

Posted on August 19, 2009 by Philip Gordon

Image by Producer

In what appears to be an on-going effort to find the right balance between information security and burdens on businesses, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR) has materially revised—for a second time—regulations that were initially promulgated in October 2008, and has extended the compliance deadline for a third time. We have discussed the regulations in detail in prior blog posts. Consequently, we will only focus on the most recent revisions, which are described below:

  • New Compliance Deadline: The compliance deadline has been extended from January 1, 2010, until March 1, 2010.
  • Third-Party Service Providers: While the regulations still require that employers expressly address information security in their contracts with vendors who create or receive personal information on the employer’s behalf, employers now have until March 1, 2012, to negotiate amendments to vendor agreements entered into before the March 1, 2010 compliance deadline. Vendor agreement entered after that date must require that vendors implement and maintain “appropriate security measures to protect [Massachusetts] personal information” in a manner that is consistent with the regulations and applicable federal law.
  • Break For Small Businesses: The prior regulations applied equally to businesses of all seizes. The revised regulations are scalable. In other words, the “appropriate” administrative, technical and physical safeguards may vary depending on (a) “the size, type and scope of business” involved; (b) the business’ available resources; (c) “the amount of stored data”; and (d) “the need for security and confidentiality of both consumer and employee information.”
  • Elimination Of Several Onerous Requirements: OCABR has completely deleted requirements that data owners (a) collect only the minimum necessary personal information, (b) retain such information for only as long as is necessary to achieve the purpose for which the information was collected, (c) restrict access to personal information to those with a need to know, and (d) identify all locations and devices where personal information is stored. These requirements were among the most burdensome in the regulations as previously drafted.
  • Less Prescription: The revised regulations eliminate several provisions which specified how certain safeguards should be accomplished. First, the requirement to provide physical safeguards previously mandated “a written procedure that sets forth the manner in which access to . . . records [containing personal information] is restricted.” The revised regulations merely require “[r]easonable restrictions upon physical access to records containing personal information. Second, the previous regulations required that data owners restrict terminated employees’ access to personal information “by immediately terminating their physical access and electronic access to such records, including deactivating their passwords and user names,” whereas the revised regulations eliminates the quoted language. Third, rather than requiring a “comprehensive, written information security program,” the revised regulations now require a comprehensive information security program “that is written in one or more readily accessible parts.” Finally, the definition of “encryption” no longer requires “the use of an algorithmic process” so long as the process results in “the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.”
Tags: , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

New Data Security Breach Laws in Alaska and South Carolina Take Effect July 1, 2009

Posted on June 16, 2009 by Privacy and Data Protection Practice Group

On Wednesday, July 1, 2009, the recently enacted Alaska and South Carolina notice of security breach laws will take effect. Alaska and South Carolina join forty-three other jurisdictions with notice of security breach laws. Some of the key provisions of these laws are described below.

The “Trigger Event”

Both laws require businesses to provide notice of security breaches when an unauthorized person acquires unencrypted computerized “personal information.” Alaska is one of six states that also requires notice in response to the unauthorized acquisition of paper records containing personal information. Under both laws, personal information includes the affected individual’s first name or initial and last name, plus social security number, driver’s license number, or credit or debit card or financial account number in combination with any required security code.

The “Harm Requirement”

In Alaska, notice is not required, if, after an investigation and notice to the Attorney General, the business determines that there is not a reasonable likelihood of harm to the consumer. Likewise, the South Carolina law does not require businesses to notify residents if illegal use of the information has not occurred, or is not reasonably likely to occur, or if use of the information does not create a material risk of harm to the resident.

Required Notices To Third Parties

If an entity is required to notify 1,000 or more Alaska residents, it also must provide the three national credit bureaus (such as TransUnion®, Experian®, and Equifax®) with the timing, distribution, and content of the notices to state residents.

If a business is required to notify 1,000 or more South Carolina residents of a security breach, that entity must notify the Consumer Protection Division of the South Carolina Department of Consumer Affairs as well as the national credit bureaus.

Penalties

Both statutes provide stiff penalties for businesses that fail to provide the required notice to affected individuals. In Alaska, offending business are subject to a civil penalty of up to $500 per resident not notified, with the total penalty capped at $50,000. Moreover, the offending business may be held liable for any actual economic damages suffered by affected individuals as a result of the failure to provide notice.

In South Carolina, businesses that fail to provide notice to affected individuals are subject to civil lawsuits by residents who are injured. Injured individuals may also recover attorneys’ fees and court costs, if successful. Moreover, the law permits the Department of Consumer Affairs to administratively fine knowing and willful violators $1,000 for each resident whose information was accessible by reason of the breach.

Scope Of Alaska’s New Law

In addition to the notice of security breach law, Alaska enacted a comprehensive statute involving protection of social security numbers, care of records, disposal of records and security freezes.

This entry was written by Katherine Dix.
Tags: , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

New Nevada Law Mandates Encryption of Sensitive HR Data

Posted on June 15, 2009 by Philip Gordon

Nevada has joined Massachusetts as the only two states currently mandating encryption of sensitive human resources information.* The Nevada law — which, like the Massachusetts regulations, takes effect January 1, 2010 — applies to any organization doing business in Nevada that collects an individual’s first name or initial and last name plus Social Security number, employee identification number, driver’s license number, or credit or debit card number or financial account number with any required security code (collectively “Personal Information”). Every employer collects employees’ SSNs in the ordinary course of business, and many employers assign employee identification numbers and collect driver’s license numbers. Consequently, the new law applies to all employers.

The statute requires encryption in two circumstances. First, electronic transmissions of Personal Information must be encrypted unless the transmission (a) passes within a secure network, or (b) is sent by fax machine. This means that intracorporate e-mail will not need to be encrypted as long as e-mails do not pass over the public Internet (which usually is the case). However, all e-mail to third parties, i.e., e-mails that do pass over the public Internet containing Personal Information, will need to be encrypted.

Second, no “data storage device” which contains Personal Information may be taken off-site unless the Personal Information is encrypted. The new law’s broad definition of “data storage device” includes laptops, iPhones, BlackBerrys, back-up tapes and disk drives, as well as virtually any other electronic device that can store Personal Information.

Employers who fail to comply with the law will be easily discovered. Because Nevada’s security breach notification law provides a safe harbor from notification for Personal Information that is encrypted, any notice of a security breach that discloses the loss or theft of a laptop, portable digital assistant, back-up tape or other electronic storage medium effectively would constitute an admission that the employer failed to comply with Nevada’s encryption requirement. Because that failure would violate a statutory standard, the absence of encryption most likely would be deemed negligent. For this reason, employers with operations in Nevada should begin now to develop plans for complying with the new Nevada encryption standard.

*For comprehensive coverage of the Massachusetts data security regulations, see Littler ASAP "New Massachusetts Regulations Impose Substantial Obligations on Corporate Human Resources Departments to Safeguard Employees' Personal Information" by Philip Gordon.

Tags: , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Massachusetts Regulatory Agency Revises the Massachusetts Data Security Breach Regulations and Further Extends Compliance Deadline

Posted on February 13, 2009 by Privacy and Data Protection Practice Group

On Thursday, February 12, 2009, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR) publicly disclosed key changes to the controversial Massachusetts data security breach regulations, 201 CMR 17.00. Taking into account testimony heard from business associations and employers at a public hearing last month, OCABR has further delayed the implementation deadline and somewhat loosened employers’ obligations with respect to third-party service providers and mandatory encryption requirements.

Highlights of the amendments to the regulations are:

Effective Date: Previously set to go into effect on May 1, 2009, the compliance date has been delayed until January 1, 2010.

Third-Party Service Providers: The original regulations required all employers to obtain: (a) by May 1, 2009, contractual assurances from their third-party vendors having access to Massachusetts residents’ personal information that the vendors are capable of safeguarding this information; and (b) by January 1, 2010, written certifications from each vendor that it has adopted a comprehensive information security program in compliance with Massachusetts regulations (201 CMR 17.00 et seq.).
 

The amended regulation no longer requires that employers obtain contractual assurances or a certification of compliance from third-party vendors. Instead, the regulations now require employers to take

all reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.00; and taking all reasonable steps to ensure that such third party service provider is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17.00.”

OCABR did not provide any guidance on how employers are expected to satisfy this requirement.

Encryption Requirements: Initially, the regulations required that employers encrypt all data that was transmitted wirelessly. OCABR’s revised rules now specifically limit this encryption requirement to data containing personal information that is transmitted wirelessly. Additionally, personal information stored on laptops and other portable devices must be encrypted by January 1, 2010.

This entry was written by Jennifer Bombard McGovern, an associate in Littler's Boston office.
Tags: , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

New Massachusetts Regulations Impose Substantial Obligations on Human Resources Departments to Safeguard Employees' Personal Information

Posted on October 23, 2008 by Philip Gordon

New Massachusetts regulations, effective January 1, 2009, are a clarion call for corporate human resources departments to join the war on identity theft. The regulations mandate the development and implementation of a "written, comprehensive information security program" to safeguard the information of Massachusetts employees and consumers. Such a program rarely will be fully effective without the involvement of human resources professionals and in-house employment counsel.

While these regulations apply only to organizations with Massachusetts employees, even employers without a Massachusetts presence should consider implementing a similar program. These regulations likely will be a model for other jurisdictions and could become the standard against which all information security programs are measured. Continue reading. . .

Tags: , , , , , , ,
  • Email This
  • Print
  • Trackbacks (1)
  • Share Link