201 CMR 17.04, titled “Computer System Security Requirements,” mandates “every person that owns or licenses personal information about a resident of [Massachusetts]” and stores or transmits that data electronically, include in its comprehensive information security program the establishment and maintenance of a data security system that covers its computers, including wireless systems.  To the extent technically feasible, the comprehensive information security program must contain the following elements:

1.  Protocols for user authorization that include:

A.  Password protected access;

B.  A secure method, such as passwords or biometrics, to limit access to the protected data;

C.  Systems to protect the passwords and access maintained in such a way as to not compromise the security of the data;

D.  Limitations on the active users who have access to the protected data;

E.  A method to block access to any user who has multiple, unsuccessful login attempts.

2.  Secure access control measures that:

A.  Restrict access to protected data to only those persons who require access to perform their job functions;

B.  Assign unique user IDs and passwords, not generated by default within the particular computer system, and that are designed to maintain the integrity of the security of the protected data.

3.  Encryption of all data that is transmitted wirelessly or across public networks (like the internet).

4.  Methods of monitoring actual or attempted unauthorized use of or access to protected data.

5.  Encryption of all personal information stored on laptops or any other portable device (flash drives, discs, external hard drives, etc…).

6.  Firewall and operating system protection, designed to maintain the integrity of the system, for all systems holding protected data that are connected to the internet.  This should include regular firewall and operating system security patches.

7.  Reasonably up-to-date anti-virus and anti-malware software (what that nebulous statement means will end up before a judge, as what is reasonable to a particular business might not be reasonable to the government).  The security software must be updated regularly, including relevant security patches.

8.  Documented training programs for all employees who will access the computer system containing the protected data.  This training must emphasis the importance of protecting personal information.

Businesses must be complaint with the law examined in this series right now.  Section 5 of the regulation mandated compliance by March 1, 2010.  If your business is not complaint, it is critical that you create a comprehensive information security program.  If you need any assistance, please contact us.  We can help you develop your comprehensive information security program.  While resources, whether in-house or outsourced, must be dedicated to this effort, it necessary to protect your business from a data breach and limit your liability in the event a breach does occur.

Like insurance, we all hate spending the time and money to protect against an event we hope will never happen.  However, we all carry insurance.  We carry insurance because we know that in the event of an accident or disaster, the cost of being covered is far less than the cost of not being covered.

Please leave your thoughts and comments on this subject.  If you have any questions, please feel free to post them here or contact us directly for a no-cost, no-obligation initial consultation.  Our job is to help you make sure your business is protected and thriving and we welcome the opportunity to serve you.

DISCLAIMER:  The information presented here is general in nature, does not take your jurisdiction or actual circumstances into account and therefore may not apply to your circumstances or in your jurisdiction.  You should not rely on this general information as a substitute for legal advice from your attorney.  This is not an attorney-client communication.  You should seek individual advice from an attorney of your choosing if you require assistance in any legal or compliance matters.

Now we move on to Section 17.02, which pertains to definitions used in the regulations.  This is an important part of the regulation and any business with any data or personal information should familiarize themselves with these definitions.

Breach of Security: The regulation defines a breach of security as the unauthorized use or acquisition of data that could compromise the “security, confidentiality or integrity of personal information” that creates a substantial risk of identity theft or fraud against a resident of Massachusetts.  If the acquisition of the information is lawful and the information was acquired in good faith but not authorized, it is not a breach.  An example of this might be procuring a list from a licensed list broker who represents that the data is legal and the use authorized, but in reality, the use was not authorized.  In such a case, there is no breach.  This is a somewhat loose definition and I am predicting that this will be the subject of litigation and judicial interpretation.

Electronic:  This is a lot more straightforward.  Electronic data is data stored in an electronic medium.  That could be digital, magnetic, wireless, optical or the like.

Encrypted:  This definition pertains to transformation of data into a form that cannot be used without the corresponding encryption key.  Encrypting data, especially when transmitting it, is a good practice no matter where you are doing business.

Owns or Licenses:  This definition is wide reaching.  It pertains to any person (defined below) that receives, stores, maintains, processes or has access to personal information in connection with the provision of goods or services or in connection with employment.

Person:  A person is considered a natural person (like you or me) or a corporation, association, partnership or other legal entity (trust, LLC, etc…).  The exception here is that agencies and offices of the Commonwealth of Massachusetts appear to be immune from these regulations.

Personal Information:  This is the data that needs security and for which your written comprehensive data security policy should be aimed at protecting.  This data includes the first name or first initial and the last name of a Massachusetts resident with one or more of the following data associated with the name:

1. social security number;
2. driver’s license number or state issued ID number;
3. financial account number, including bank or credit card numbers.

Note that personal information that is public record, such as that contained in the Registry of Deeds, is not considered confidential personal information and that data is not subject to compliance so long as it is legally available to the general public.

Record or Records:  Here we have another wide reaching definition.  Records can take the form of any material on which the data in question is written, drawn spoken, imaged or otherwise recorded and preserved.  So if your CRM system is a series of index cards, or cocktail napkins for that matter, it is covered and you must provide data security to remain in compliance.

Service Provider:    A service provider is one who, through their provision of services to those covered under this law, receives, stores, maintains, possesses or has access to covered personal information.

So there we have a through review of Section 2 of the Standards For the Protection of Personal Information of Residents of the Commonwealth. Next, we will take a look at Section Three, which discusses the duty owed to protect the data and the standards for that protection.  So check back often or, even better, sign up for our RSS feed or email notifications.  That way, you know you will not miss a single bit of information that could lead to a violation of the law.

As always, if you have any questions, please feel free to contact us.  And if you have any comments of thoughts on this subject, or a subject you would like to know more about, please leave a comment.  Your input is always welcome.

You better have better data security than this!

We discussed in a previous article the growing concern among State and Federal lawmakers regarding protection of data.  More specifically, protection of consumer’s personal information.  This issue was escalated to the forefront of compliance practitioners and consultants with the implementation of a Massachusetts regulation (201 CMR 17.00), acknowledged to be the strictest rules on data security in the United States (so far).  The regulations and related laws are available for download in their entirety at no cost or obligation at the White Space Resource Center under “Privacy Laws and Regulations.”  As most businesses will have to address data security and protection of personal information, it is worth taking a closer look at the Massachusetts regulations.

The regulation, entitled Standards For the Protection of Personal Information of Residents of the Commonwealth, is divided into five sections.  This series of articles will analyze each of these sections.

Section 17.01 – Purpose and Scope

The regulation implements the provisions of the Massachusetts Consumer Protection Statute, Massachusetts General Law Chapter 93H.  The law applies to “persons who own or license personal information about a resident of the Commonwealth of Massachusetts.”  This means that no matter where your business might be located, if you own or use personal information about any resident of Massachusetts, you must comply with the law.  The law’s stated purpose is to provide a minimum standard for the protection personal data.  The law is intended to protect against the “unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.”

The most important take-away for this section is that any business that owns or licenses data related to a Massachusetts resident is required to comply with the regulation.