Contact Us Client Extranet Register / Login
Jackson Lewis
Search:

Register for Email Alerts
Home > Legal Updates > email this article  printer friendly version

Massachusetts Data Security Regulations: Effective Date Extended and Mandates Eased

Posted: August 24, 2009
Page Tools:
For More Information Contact:
Related Practice Areas:

Balancing consumer protection with the needs of small business, the Office of Consumer Affairs and Business Regulation (OCABR) issued substantial revisions to Massachusetts’ data privacy and security regulations on August 17, 2009, that include extending the compliance deadline to March 1, 2010, among other things. (See Press Release.) This announcement follows two prior extensions of the effective date of the regulations and substantive modifications to the rules. The key revisions to the regulations are highlighted below and will be the subject of a public hearing on September 22, 2009, leaving open the possibility of additional modifications.  

While the regulations remain a comprehensive set of standards for protecting and storing personal information about Massachusetts residents in paper or electronic format, the most recent changes seek to accommodate the concerns of small businesses for which compliance is a challenge, particularly in this economic environment.  The changes are summarized below:

  • Application. The new regulations apply to persons that “own or license” personal information, defining the term “own or license” to mean “receives, maintains, processes, or otherwise has access to personal information in connection with the provision of goods and services or in connection with employment.” The prior regulations simply applied to “persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.”
  • Objectives modified. A stated regulatory objective was changed from “protect[ing] against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud against such residents” to “protect[ing] against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.” While this seems to have broadened the kinds of harms the regulations seek to prevent, the effect of the change from “residents” to “consumer” is unclear as the regulations do not define “consumer.”
  • Maintaining technical neutrality. In an effort to keep the regulations technology-neutral, OCABR removed from the definition of “encryption” the requirement that data be transformed through the use of an algorithmic process. Under the new definition, personal information will be considered encrypted if it is transformed into a form in which meaning cannot be assigned without the use of a confidential process or key.
  • Expanding technical feasibility. Under the prior regulations, the requirement to encrypt transmitted records and files travelling across public networks and wirelessly was limited to the extent technically feasible. In what is likely another nod to small businesses, the new regulations expand the technically feasible limitation to the requirements to protect personal information on computer systems, as well. That is, the requirements for a security system covering computers and any wireless system will now apply “to the extent technically feasible.” 
  • Risk-based implementation. The new regulations are now risk-based in implementation, as well as in enforcement. The prior version permitted four factors to be taken into account when evaluating whether a program complied with the regulations:
    • the size, scope and type of business obligated to safeguard the personal information,
    • the resources available to the person or entity,
    • the amount of stored data, and
    • the need for security and confidentiality of both consumer and employee information.

The new regulations make clear these factors should be taken into account when designing a program’s administrative, technical and physical safeguards, a change that will certainly benefit small businesses.

  • Service provider contracts. Contracts with third-party service providers entered into before March 1, 2012, which contain no requirement that the service provider maintain appropriate security measures consistent with the new regulations and federal law, will be deemed to be compliant with the regulations, so long as the contract was entered into before March 1, 2010. This appears to mean that for contracts entered into before March 1, 2010, covered entities will have until March 1, 2012, to amend their agreements with their service providers who handle personal information. Despite this change, companies with personal information of individuals other than Massachusetts residents need to consider whether to demand amendments sooner. For example, similar contract requirements already exist under Maryland, Nevada and Oregon law.
  • Attempts to ease certain requirements. The new regulations appear to soften some of the requirements for a comprehensive information security program:
    • The requirement that covered entities immediately terminate physical and electronic access to personal information of terminated employees was eliminated. However, the regulations retain the requirement that covered entities prevent terminated employees from accessing such information.
    • The new regulations eliminate the general requirement to restrict access to personal information to those with a need to know. This requirement, however, remains with respect to electronically stored personal information. With more and more personal information stored electronically, it is unclear how much of a change this is from the prior version of the regulations.
    • The new regulations also eliminate the data mapping requirement and the requirements to limit: (i) the collection of personal information to what is reasonably necessary, and (ii) the length of time personal information is retained. While these changes appear to ease the regulatory burden on covered entities, the general requirement to have administrative, technical and physical safeguards remains. As a practical matter, a covered entity must consider whether a court interpreting and applying these regulations might find it unreasonable for a business to be collecting or retaining personal information unnecessarily. Likewise, a court might find that in order for a business to reasonably safeguard personal information it must know the locations of that information and/or the devices where personal information is stored.

Despite these changes, the regulations continue to require that covered entities develop, implement and maintain a comprehensive information security program to protect personal information.  The program still must be in writing, although the writing can now be “in one or more readily accessible parts.”  Thus, the standards for protecting personal information in Massachusetts will continue to challenge businesses and employers who “own or license” personal information about Massachusetts residents. While the extended compliance deadline will provide some additional time for businesses, the revised regulations still leave much for businesses to do to become compliant. Moreover, Massachusetts is no longer the only state with a comprehensive data security program mandate. A number of other states, including California, Texas, New York, Oregon and Maryland, have enacted similar measures, and New Jersey is set to issue a comprehensive set of regulations containing a similar mandate. Jackson Lewis attorneys are available to answer your questions about these new regulations and assist in developing your data security program.

Related Links
Home | About Us | Offices | Attorneys | Practice Areas | Events | Legal Updates | Employment

Copyright © 1998-2010 Jackson Lewis LLP | Disclaimer | Privacy Policy | Site Map
Email: info@jacksonlewis.com | Phone: (800) 648-2551
Attorney Advertising