Massachusetts Regulator Revises Information Security Requirements (Again)

Posted on November 2, 2009 by Hunton & Williams LLP

On October 30, as reported by the Bureau of National Affairs (“BNA”), the Massachusetts Office of Consumer Affairs and Business Regulation stated that final amendments to its information security regulations had been filed with the Massachusetts Secretary of State.  The Standards for the Protection of Personal Information of Residents of the Commonwealth have been the subject of much commentary and a series of amendments as regulators seek to address concerns expressed by businesses over the stringent and specific nature of the regulations.  The most recent round of amendments was announced August 17, 2009.

A final version of the latest amendments has not yet been made public, but the BNA has circulated a copy of what is purported to be the final draft, which includes changes to provisions related to service providers.  First, the definition of “service provider” has been modified to (1) clarify that “any person” who “stores” personal information through the provision of services will fall within the definition’s scope (the term “stores” was not included in the prior version’s definition), and (2) remove the express exclusion of the U.S. Postal Service from the term “service provider.”

The “safe harbor” provision with respect to existing service provider contracts also has been revised.  Pursuant to the regulations, businesses that are subject to the regulations generally must require by contract that third-party service providers implement and maintain appropriate security measures for personal information.  While the previous version of the regulation stated that “any contract a person has entered into with a third party service provider prior to March 1, 2012, shall be deemed in compliance . . . notwithstanding the absence in any such contract of [this requirement], so long as the contract was entered into before March 1, 2010,”  the new version provides that “until March 1, 2012, a contract a person has entered into with a third party service provider to perform services . . . satisfies [this provision] even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010.”  The revision clarifies that the deadline for updating service provider contracts entered into prior to March 1, 2010 is March 1, 2012, and any contracts entered into after March 1, 2010 must comply with the regulations upon execution.
Tags: , , , , , , , ,

Massachusetts Revises Information Security Regulations and Extends Deadline for Compliance

Posted on August 20, 2009 by Hunton & Williams LLP

On August 17, 2009, Massachusetts announced revisions to its information security regulations and extended the deadline for compliance with those regulations.  In the press release announcing the revised regulations, the Undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation noted the concerns of small business leaders regarding the impact on their companies, stating that the updated regulations “feature a fair balance between consumer protections and business realities.”

First and foremost, the revisions emphasize a more flexible, risk-based approach to developing an information security program.  Previously the regulations required the adoption of a program incorporating specific elements without regard to the particular concerns of individual businesses.  The revised regulations instead direct businesses to implement an information security program that takes into consideration what is “appropriate to (a) the size, scope and type of business … ; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.” 

Second, the revisions modify several of the information security program requirements to reflect the risk-based approach.  For example, employers that must protect personal information from terminated employees will not be obligated to do so by “immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names.”  Rather, the new regulation has a more customizable requirement that such employers “prevent[] terminated employees from accessing records containing personal information.”

Third, the definition of “encrypted” has been amended so as to make the encryption requirement technology-neutral, and there is a general emphasis on technical feasibility with respect to the various technological elements of an information security program.  For example, the revisions qualify that all computer system security requirements, including secure user authentication protocols and secure access control measures, should be implemented “to the extent technically feasible.”  Previously, only encryption was subject to the technical feasibility qualification.

Fourth, the term “service provider” is now specifically defined, and persons who own or license personal information will have to include information security requirements in their contracts with third-party service providers.  This parallels the service provider provision contained in the FTC’s Safeguards Rule promulgated pursuant to the Gramm-Leach-Bliley Act.

Finally, the compliance deadline for these regulations has been extended to March 1, 2010.  This is the third time Massachusetts has extended the deadline, following prior extensions that occurred in February 2009 and November 2008.
Tags: , , , , , ,

FTC Extends Red Flags Compliance Deadline to November 1

Posted on July 30, 2009 by Hunton & Williams LLP

On July 29, 2009, the Federal Trade Commission ("FTC") announced another three-month delay in the enforcement of the provision of Identity Theft Red Flags and Address Discrepancies Rule (the "Rule") that requires creditors and financial institutions to implement an Identity Theft Prevention Program.  The FTC noted that small businesses and entities with a low risk of identity theft remain uncertain about their obligations under the Rule and pledged to "redouble" its efforts to educate businesses about compliance with the Rule.  The new enforcement deadline for creditors and financial institutions is November 1, 2009.  The FTC news release is available here.

Tags: , , , , , , , ,

FTC Delays Enforcement of the Red Flags Rule until August 1, 2009

Posted on May 1, 2009 by Hunton & Williams LLP

At the eleventh hour, the Federal Trade Commission announced that it will once again delay enforcement of the Red Flags Rule.  The Red Flags Rule was promulgated pursuant to the Fair and Accurate Credit Transactions Act of 2003 ("FACTA").  The previous compliance date was May 1, 2009, which was an extension from the original deadline of November 1, 2008.  The new extension applies only to the provisions of the Rule requiring financial institutions and creditors to implement an identity theft prevention program.  The continuing enforcement delays respond to ongoing uncertainty about the Rule's intended scope.  In announcing this latest delay, the FTC cited "the ongoing debate about whether Congress wrote this provision [of FACTA] too broadly" and stated that extending the compliance deadline would "allow industries and associations to share guidance with their members . . . and give Congress time to consider the issue further."  On March 20, 2009, the FTC published the Red Flags Rule Compliance Guide to assist organizations that must comply with the Red Flags Rule.  The FTC stated in its news release yesterday that it will attempt to address some of the concerns regarding compliance with the Rule by publishing an identity theft prevention program template for low risk entities.  The FTC's news release is available here.

Tags: , , , , , ,