Corporate compliance, legal, and IT officers entered a brave new world last week, when Massachusetts’ strict new data privacy law finally went into effect.
The law, bureaucratically known as 201 CMR 17.00, took hold on March 1 after a year of delays to quell anxiety among corporations that the specific details of implementation were vague, impractical, and expensive. Those concerns don’t seem to have receded much in that time, but regardless, the nation’s newest and most far-reaching regulation to protect consumers’ privacy has now arrived.
The law applies to any company anywhere in the world that “owns or licenses” personal information—whether stored in electronic or paper form—about Massachusetts residents. Personal information is defined as a person’s first and last name, or first initial and last name in combination with any of the following: Social Security Number; driver’s license or state-issued I.D. card numbers; financial account numbers; and credit or debit card numbers.
At the heart of the law is the requirement that companies develop a comprehensive Written Information Security Program (WISP) that contains technical, administrative, and physical safeguards that take into account the size and nature of their business; the amount of resources available; the amount of stored data; and the risk of identity theft. These safeguards must also be consistent with existing state and federal regulations for protection of personal information “of a similar character,” such as the Health Insurance Portability and Accountability Act, and the Gramm-Leach Bliley Act.
In that regard, experts say the Massachusetts regulations aren’t all that groundbreaking. “In general, companies have been moving in this direction anyway,” says Beckwith Burr, a partner in the regulatory and government affairs department of law firm WilmerHale.
Still, others are urging state regulators to go easy on enforcement, at least until corporations fully understand what they must do to comply with the law. The Associated Industries of Massachusetts put out a statement urging state regulators “to pursue a collaborative and educational posture toward the regulated community, especially small businesses, to enhance compliance and increase awareness.”
MacDougall
“In general, companies have been moving in this direction anyway.”
—Beckwith Burr,
Partner,
WilmerHale
Bradley MacDougall, associate vice president of government affairs at AIM, says that warning is necessary because “there are still folks out there who still need to get a better sense of what it means to reach compliance,” and that will be an ongoing challenge. MacDougall does, however, credit the final regulations as “more clearly reflecting” state lawmakers’ intent to protect consumers’ personal information.
Compliance Details
In many ways, Burr says, much of what the privacy regulations mandate “is common sense.” For example, companies must have secure controls that restrict access to personal data to only those employees who need that data to do their jobs. The regulations also call for secure user IDs and other identifiers, as well as a secure method for assigning, selecting, and physically securing passwords.
Also, as part of that program, companies must:
Designate at least one employee to oversee the WISP policy;
Educate and train employees on information security, and discipline them for violations;
Audit the system annually to ensure that it works;
Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, or integrity of records containing personal information; and
Evaluate and improve, where necessary, the effectiveness of current safeguards for limiting such risks.
Other requirements include the existence of reasonably up-to-date versions of security software, including malware protection; and reasonably up-to-date patches and virus definitions to catch emerging threats.
The regulations also create far-reaching compliance concerns for the IT industry, because they require outsourcing or support contracts to state explicitly that service providers must meet this regulation—and that applies to any contracts between a service provider and its sub-contractors, as well. The regulations apply to new contracts executed after March 1. Existing service provider contracts don’t need to be amended immediately, but must be updated by March 1, 2012.
Cost Concerns
FAQS
Below is an excerpt of guidance from the state of Massachusetts answering some frequently asked questions about the privacy law:
What are the differences between this version of 201 CMR 17.00 and the version issued in
February of 2009?
There are some important differences in the two versions. First, the most recent regulation issued in
August of 2009 makes clear that the rule adopts a risk-based approach to information security, consistent
with both the enabling legislation and applicable federal law, especially the FTC’s Safeguards Rule. A
risk-based approach is one that directs a business to establish a written security program that takes into
account the particular business’ size, scope of business, amount of resources, nature and quantity of data
collected or stored, and the need for security. It differs from an approach that mandates
every component of a program and requires its adoption regardless of size and the nature of the business
and the amount of information that requires security. This clarification of the risk based approach is
especially important to those small businesses that do not handle or store large amounts of personal
information. Second, a number of specific provisions required to be included in a business’s written
information security program have been removed from the regulation and will be used as a form of
guidance only. Third, the encryption requirement has been tailored to be technology neutral and
technical feasibility has been applied to all computer security requirements. Fourth, the third party
vendor requirements have been changed to be consistent with Federal law.
To whom does this regulation apply?
The regulation applies to those engaged in commerce. More specifically, the regulation applies to those
who collect and retain personal information in connection with the provision of goods and services or
for the purposes of employment. The regulation does not apply, however, to natural persons who are not
in commerce.
Does 201 CMR 17.00 apply to municipalities?
No. 201 CMR 17.01 specifically excludes from the definition of “person” any “agency, executive office,
department, board, commission, bureau, division or authority of the Commonwealth, or any of its
branches, or any political subdivision thereof.” Consequently, the regulation does not apply to
municipalities.
Must my information security program be in writing?
Yes, your information security program must be in writing. The scope and complexity of the document
will vary depending on your resources, and the type of personal information you are storing or
maintaining. But, everyone who owns or licenses personal information must have a written plan
detailing the measures adopted to safeguard such information.
What about the computer security requirements of 201 CMR 17.00?
All of the computer security provisions apply to a business if they are technically feasible. The standard
of technical feasibility takes reasonableness into account. The computer security provisions in 17.04 should be construed in accordance with the risk-
based approach of the regulation.
Does the regulation require encryption of portable devices?
Yes. The regulation requires encryption of portable devices where it is reasonable and technically
feasible. The definition of encryption has been amended to make it technology neutral so that as
encryption technology evolves and new standards are developed, this regulation will not impede the
adoption of such new technologies.
Do all portable devices have to be encrypted?
No. Only those portable devices that contain personal information of customers or employees and only
where technically feasible The "technical feasibility" language of the regulation is intended to recognize
that at this period in the development of encryption technology, there is little, if any, generally accepted
encryption technology for most portable devices, such as cell phones, blackberries, net books, iphones
and similar devices. While it may not be possible to encrypt such portable devices, personal information
should not be placed at risk in the use of such devices. There is, however, technology available to
encrypt laptops.
Must I encrypt my backup tapes?
You must encrypt backup tapes on a prospective basis. However, if you are going to transport a backup
tape from current storage, and it is technically feasible to encrypt (i.e. the tape allows it) then you must
do so prior to the transfer. If it is not technically feasible, then you should consider the sensitivity of the
information, the amount of personal information and the distance to be traveled and take appropriate
steps to secure and safeguard the personal information. For example, if you are transporting a large
volume of sensitive personal information, you may want to consider using an armored vehicle with an
appropriate number of guards.
Source
src="/sites/default/files/data/pdf2.gif" border="0"
style="margin-top:3px;margin-right:6px;margin-bottom:9px" border="0"
align="left">Mass. Office of Consumer Affairs and Business Regulation
The regulations bring with them a host of cost concerns, especially for companies that aren’t in regulated industries. One major worry has been the requirement that companies must encrypt all personal information saved on laptops or other portable devices, as well as all records that are transmitted wirelessly. In today’s freewheeling work environment of PDAs, home offices, and road warriors, good luck with that.
Smedinghoff
“A lot of businesses don’t use encryption, especially with portable devices,” says Thomas Smedinghoff, a partner at law firm Wildman Harrold. While encryption of sensitive data is a “good solid security practice,” obtaining the encrypting software and the infrastructure you need could be expensive, he says.
The cost of resolving a security breach, however, will probably lead companies to find a way to get the job done. According to a new study from the security research firm Ponemon Institute, data breaches cost companies an average of $6.75 million per incident. Of the 45 companies surveyed that had suffered breaches, the loss of each compromised customer record was $204. Even worse: remediation costs for the least-affected company still hit $750,000; one firm’s identity theft cost it nearly $31 million.
“In the five years we have conducted this study, we have continued to see an increase in the cost to businesses for suffering a data breach,” Larry Ponemon, chairman of the Ponemon Institute, said in a prepared statement. “With a variety of threat vectors to contend with, companies must proactively implement policies and technologies that mitigate the risk of facing a costly breach.”
Burr
The results underscore the point that technology is only part of the compliance solution; raising employee awareness about information security is crucial. “You can have all of the policies in the world, but the rubber meets the road where individual employees are handling this data,” Burr says.
If other states follow in Massachusetts’ path—and many are predicting exactly that—that also could lead to a complex and costly web of compliance headaches, as companies try to maintain multiple policies and procedures to comply with differing regulations. Nevada is already moving down the Massachusetts path with its own tough new privacy law, “and I think we’re going to see more of that,” Smedinghoff says.
Another large question is how state regulators will enforce the law, and what types of offenses would prompt an enforcement action. According to the statute, state Attorney General Martha Coakley is in charge of enforcement. Until her office does launch an enforcement action (and it has given no hint that it will do so any time soon), companies won’t know what “good compliance” with the privacy law looks like.
One hint: In 2007, Massachusetts amended its laws to require companies to inform state regulators if they suffer a data loss that could result in identity theft; failure to comply can result in fines up to $5,000 per violation. It’s reasonable to assume that enforcement applied under those provisions will apply to the new data privacy law as well.
What might happen to out-of-state companies that don’t comply is also unknown. Smedinghoff says that in conversations he’s had with state officials, “they are taking the view that they have jurisdiction over companies outside of Massachusetts,” reasoning that the harm caused by an out-of-state breach can still affect Massachusetts residents.
The Massachusetts Office of Consumer Affairs and Business Regulation, which wrote the regulations, says it has no plans to publish any further guidance on compliance with the law. A spokesman, however, tells Compliance Week: “We are certainly open to anybody calling us with any questions.”
No comments yet