Massachusetts Regulators Provide Significant Insight Into Enforcement of Stringent Information Security Regulations That Are Effective as of Today (March 1, 2010)

Posted on March 1, 2010 by Privacy and Data Protection Practice Group

Touted as the most stringent information security regulations to date, Massachusetts’ requirements—applicable to both customer and employee personal information—mandate the implementation of a comprehensive written information security program. As explained in previous blog posts, the regulations require “cradle-to-grave” protections for the following categories of information about Massachusetts residents when combined with first name or initial and last name: Social Security number, driver’s license and other government-issued identification number, debit or credit card number, and financial account number. One critical question for organizations, particularly those grappling with tightened budges, is where to focus limited resources in light of the enforcement risk. Recent statements by Massachusetts regulators provide a view towards the answer.

In an interview published on February 27 in BNA’s Privacy and Security Law Report, the director of the agency that promulgated the regulations, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR), made three statements that could have an important bearing on enforcement. First, OCABR takes the position that the regulations apply even when the personal information of Massachusetts employees is stored in a centralized human resources database located at a corporate headquarters outside of Massachusetts. Second, in the director’s view, employers have virtually no excuse for failing to encrypt personal information stored on laptops. Third, although current technology does not permit encryption of personal information stored on a hand-held device, such as a Blackberry® or a Smartphone®, employers should consider other steps that will limit the risk to Massachusetts personal information if the hand-held device is lost or stolen.

During a presentation at the Massachusetts Information Security Summit on January 27, the chief of the consumer protection division for Massachusetts’ Office of the Attorney General, which will be responsible for enforcing the regulations, suggested that his office will not be conducting compliance audits. Rather, the office will select potential targets for enforcement from security breach notifications. Under Massachusetts law, such notifications must be sent to affected Massachusetts residents and to the Attorney General’s Office when unencrypted Massachusetts personal information has been acquired or used by an unauthorized person in a manner that creates a substantial risk of identity theft or fraud.

Given that the loss and theft of portable devices is one of the likeliest causes of a security breach and in light of these regulators’ recent statements, employers can substantially reduce the risk of an enforcement inquiry or action by focusing particular attention on those devices. Policies to consider include the following:

  • Prohibit employees from storing personal information on a laptop except in those limited circumstances, such as the need to work on an airplane, where the information can not be accessed through a secure, remote connection to the corporate server;
  • In the limited circumstances where employees can permissibly store personal information on a laptop, require the installation of disk-based encryption and the deletion of the personal information from the laptop when the business purpose has been accomplished;
  • Train employees not to store any personal information on a hand-held device and to immediately report the loss or theft of a hand-held device so that the company can send a “kill signal” that will delete all information from the device;
  • Train employees to save an e-mail or attachment containing personal information to the network server and permanently delete the e-mail from their e-mail inbox, thereby eliminating the ability to access those e-mails from a hand-held device; and
  • Multi-state employers should consider applying these steps to all employees, not just those located in Massachusetts. 

This entry was written by Philip L. Gordon.
 
Tags: , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

New York Suspends Mandatory Flu Shots

Posted on October 23, 2009 by Privacy and Data Protection Practice Group

Less than one week after a state court judge halted New York state’s emergency regulation requiring mandatory H1N1 flu shots for most health care workers, Governor Paterson announced that the State Health Commissioner is suspending the requirement due to a limited supply of vaccine - approximately 23% of the anticipated amount. Available vaccines will instead be used for populations most at risk of serious illness or death, e.g., pregnant women and young people between the ages of 6 months and 24 years.

This entry was written by Philip L. Gordon.

Tags: , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

New York Judge Halts Mandatory Flu Shots

Posted on October 21, 2009 by Privacy and Data Protection Practice Group

In response to the swine flu pandemic sweeping the nation, New York in August 2009 became the only state in the United States to adopt an emergency regulation requiring most health care workers who come into contact with patients to get annual vaccinations for both seasonal and swine flu (H1N1) by no later than November 30, 2009. The regulation, issued by the New York State Commissioner of Health, provides a limited exemption for workers with “medical contraindications,” but not for those with a religious or ideological opposition to the vaccination.

In response to the emergency regulation, several unions and other groups filed suit in New York, challenging the mandatory vaccinations and the authority of the New York State Health Commissioner to institute mandatory vaccinations.

On October 16, 2009, New York State Supreme Court Justice Thomas J. McNamara issued a temporary restraining order in one of the lawsuits filed in Albany, proscribing the mandatory vaccination. The New York State Commissioner of Health and the New York State Hospital Review and Planning Council plan to vigorously defend the suit and the Commissioner’s authority to mandate vaccinations. The court scheduled an October 30 hearing regarding whether the restraining order should be lifted.

The temporary restraining order prohibits enforcement of New York’s mandatory vaccination law, but does not prevent employers from voluntarily offering influenza vaccinations to their employees. In addition, the temporary restraining order does not apply to employers outside the health care sector or to health care employers outside of New York. Nonetheless, employers should be cautious before implementing a mandatory immunization requirement. The EEOC recently issued guidance suggesting that mandatory immunizations might violate the ADA in certain circumstances. We will be publishing shortly additional recommendations in light of the EEOC’s recent guidance.

This entry was written by Philip L. Gordon.
Tags: , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

New Regulations Create Potential Privacy Risk in Corporate Transactions

Posted on October 7, 2009 by Privacy and Data Protection Practice Group

Image by Magnus ManskeToday, the Department of Labor issued regulations to enforce Title I of the Genetic Information Non-Discrimination Act of 2008 (GINA). Title I regulates self-insured group health plans and health insurance issues, among others. Title I prohibits group health plans from "collecting" any "genetic information." "Collection" means requesting, requiring or purchasing. "Genetic information" includes a family medical history. Title II of GINA, which governs employment discrimination based on genetic information, has parallel provisions but the EEOC has not yet issued regulations. The anticipated regulations, however, likely will track those issued by the Department of Labor.

One of the examples in the Title I regulations states as follows:

Issuer A acquires Issuer B. Issuer A requests Issuer B's records and tells Issuer B that it does not want to receive any genetic information and that Issuer B should remove all genetic information from the production. Issuer B gathers the requested medical records and removes all medical information but inadvertently produces some family medical histories. Issuer A does not violate GINA's prohibition on collection because its receipt of the family medical histories falls within the incidental collection exception to the general prohibition.

The Key Point: This hypothetical suggests by negative implication that acquiring companies must make a point of telling the acquired company not to provide the acquiring company with any "genetic information" when the acquired company turns over personnel records to the acquiring company. If the acquiring company fails to do so and receives any family medical histories — for example, one given in connection with a health risk assessment, the acquiring company has "collected" genetic information, apparently in violation of GINA. Notably, GINA does not include an exception for collection with the consent of the individual, so it appears that obtaining the subject employee's authorization would not defeat potential liability.

The Labor Department’s regulations go into effect on December 7, 2009.

This entry was written by Philip L. Gordon.

For further information and analysis, see "Genetic Antidiscrimination Law Creates New Compliance Challenges for Employers" by Philip L. Gordon and Jennifer L. Mora and "Proposed Regulations Under Federal Genetic Information Nondiscrimination Act (GINA) Suggest Employer Action Now" by Margaret Hart Edwards.
Tags: , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Massachusetts Extends Deadline for Compliance with Data Security Breach Regulations

Posted on November 21, 2008 by Philip Gordon

On Friday November 14, 2008, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued a press release postponing the deadline for businesses to comply with recently promulgated regulations mandating the implementation of a “comprehensive written information security program.” As discussed in a previous blog post, the regulations require corporate human resource departments to implement a range of policies and procedures to safeguard the personal information of employees who are Massachusetts residents.

OCABR had initially required that companies comply with these regulations by January 1, 2009. The administrative agency apparently recognized the need to extend the compliance deadline after hearing the business community’s concerns over being forced to bear an additional financial burden in the midst of an economic downturn.

 

The new deadlines apply to three different sections of the regulations and are set forth below:

Written Information Security Program: The general deadline to comply with the regulations is now May 1, 2009. This means that by May 1, businesses must have developed and implemented what the regulations refer to as “a comprehensive, written information security program” to safeguard all personal information kept in paper and electronic format.

Third-Party Service Providers: By May 1, 2009, companies must be able to demonstrate that they have taken steps to verify that third-party service providers with access to the personal information of their clients, customers or employees have the capacity to protect such information. In addition, on or before January 1, 2010, businesses must obtain written certifications that such third-party service providers have established written, comprehensive information security programs designed to protect personal information.

Encryption: Businesses are now required to encrypt all personal information stored on laptops by May 1, 2009, and to ensure that all other portable devices (including PDAs, memory sticks, DVDs, etc.) are encrypted by January 1, 2010.

This entry was co-authored by Jennifer Bombard McGovern.

 
Tags: , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link