Massachusetts Information Security Regulations Take Effect on March 1, 2010

Posted on February 23, 2010 by Hunton & Williams LLP

After several delays and revisions, the Massachusetts information security regulations, entitled “Standards for the Protection of Personal Information of Residents of the Commonwealth,” will take effect on March 1, 2010.  The regulations apply to entities that own or license personal information about Massachusetts residents.  “Personal information” is defined as a combination of a resident’s first and last name and Social Security number, driver’s license or state ID number, or financial account number or payment card number that permits access to the individual’s financial account.

The regulations require entities to develop, implement and maintain a written, risk-based information security program that takes into account the entity’s size, nature of its business, types of records it maintains and the risk of identity theft posed by the entity’s operations.  Also set out in the regulations are numerous administrative, technical and physical safeguards that the required information security program must include. 

Finally, the regulations require covered entities to take steps to select and retain service providers that are capable of appropriately safeguarding personal information.  Covered entities must contractually require their service providers to safeguard personal information in accordance with the Massachusetts regulations and applicable federal requirements; provided, however, that  service provider contracts entered into no later than March 1, 2010, are exempt from complying with this requirement until March 1, 2012. 

To read more about compliance with the new regulations, please see our Client Alerts (from February 2009 and from September 2008) and our previous blog posts.

View the Massachusetts regulations

 
Tags: , , , , , ,

Massachusetts Regulator Revises Information Security Requirements (Again)

Posted on November 2, 2009 by Hunton & Williams LLP

On October 30, as reported by the Bureau of National Affairs (“BNA”), the Massachusetts Office of Consumer Affairs and Business Regulation stated that final amendments to its information security regulations had been filed with the Massachusetts Secretary of State.  The Standards for the Protection of Personal Information of Residents of the Commonwealth have been the subject of much commentary and a series of amendments as regulators seek to address concerns expressed by businesses over the stringent and specific nature of the regulations.  The most recent round of amendments was announced August 17, 2009.

A final version of the latest amendments has not yet been made public, but the BNA has circulated a copy of what is purported to be the final draft, which includes changes to provisions related to service providers.  First, the definition of “service provider” has been modified to (1) clarify that “any person” who “stores” personal information through the provision of services will fall within the definition’s scope (the term “stores” was not included in the prior version’s definition), and (2) remove the express exclusion of the U.S. Postal Service from the term “service provider.”

The “safe harbor” provision with respect to existing service provider contracts also has been revised.  Pursuant to the regulations, businesses that are subject to the regulations generally must require by contract that third-party service providers implement and maintain appropriate security measures for personal information.  While the previous version of the regulation stated that “any contract a person has entered into with a third party service provider prior to March 1, 2012, shall be deemed in compliance . . . notwithstanding the absence in any such contract of [this requirement], so long as the contract was entered into before March 1, 2010,”  the new version provides that “until March 1, 2012, a contract a person has entered into with a third party service provider to perform services . . . satisfies [this provision] even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010.”  The revision clarifies that the deadline for updating service provider contracts entered into prior to March 1, 2010 is March 1, 2012, and any contracts entered into after March 1, 2010 must comply with the regulations upon execution.
Tags: , , , , , ,

Massachusetts Revises Information Security Regulations and Extends Deadline for Compliance

Posted on August 20, 2009 by Hunton & Williams LLP

On August 17, 2009, Massachusetts announced revisions to its information security regulations and extended the deadline for compliance with those regulations.  In the press release announcing the revised regulations, the Undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation noted the concerns of small business leaders regarding the impact on their companies, stating that the updated regulations “feature a fair balance between consumer protections and business realities.”

First and foremost, the revisions emphasize a more flexible, risk-based approach to developing an information security program.  Previously the regulations required the adoption of a program incorporating specific elements without regard to the particular concerns of individual businesses.  The revised regulations instead direct businesses to implement an information security program that takes into consideration what is “appropriate to (a) the size, scope and type of business … ; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.” 

Second, the revisions modify several of the information security program requirements to reflect the risk-based approach.  For example, employers that must protect personal information from terminated employees will not be obligated to do so by “immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names.”  Rather, the new regulation has a more customizable requirement that such employers “prevent[] terminated employees from accessing records containing personal information.”

Third, the definition of “encrypted” has been amended so as to make the encryption requirement technology-neutral, and there is a general emphasis on technical feasibility with respect to the various technological elements of an information security program.  For example, the revisions qualify that all computer system security requirements, including secure user authentication protocols and secure access control measures, should be implemented “to the extent technically feasible.”  Previously, only encryption was subject to the technical feasibility qualification.

Fourth, the term “service provider” is now specifically defined, and persons who own or license personal information will have to include information security requirements in their contracts with third-party service providers.  This parallels the service provider provision contained in the FTC’s Safeguards Rule promulgated pursuant to the Gramm-Leach-Bliley Act.

Finally, the compliance deadline for these regulations has been extended to March 1, 2010.  This is the third time Massachusetts has extended the deadline, following prior extensions that occurred in February 2009 and November 2008.
Tags: , , , , ,

Compliance Deadline Extended for Massachusetts Data Security Regulations

Posted on November 18, 2008 by Hunton & Williams LLP

Massachusetts recently announced that it is extending the deadline for compliance with new state data security regulations. In consideration of the current economic climate, Massachusetts has extended its original compliance deadline of January 1, 2009. The new compliance deadline will be phased in. By May 1, 2009, companies that are subject to the regulations must generally comply with the new standards and must contractually ensure the compliance of their third-party service providers. In addition, by May 1, 2009, covered businesses must encrypt laptops containing personal information. By January 1, 2010, companies are required to have a written certification of compliance from their third-party service providers and must encrypt other company portable devices, such as memory sticks and PDAs.

Massachusetts’ new May 1, 2009, compliance deadline coincides with the updated implementation deadline for the Federal Trade Commission’s Red Flags Rule. The Red Flags Rule contains provisions requiring certain financial institutions and creditors to put in place security measures aimed at detecting and preventing identity theft. Entities that are subject to both the Red Flags Rule and Massachusetts’ new regulations may be able to address the implementation requirements of both during the same program development process.

For details regarding the scope and requirements of the Massachusetts regulations, please click here.

For details regarding the updated Red Flags Rule compliance deadline, please click here.
Tags: , , ,