This follows up on a July 2009 Inside Sourcing article about the information security regulation taking effect March 1, 2010 in Massachusetts. You should pay attention to the regulation if you – or service providers on your behalf – handle any personal information of Massachusetts residents, including employees of your business.
The regulation was revised in August 2009. This article addresses the revised, final regulation.
What Does the Regulation Require?
Every business that “owns or licenses personal information” about a Massachusetts resident must “develop, implement, and maintain” a comprehensive written information security program (WISP). “Owns or licenses” is defined as “receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.” “Personal information” (PI) means first name (or initial) and last name combined with a Social Security number, driver’s license or state-issued ID card number, or financial account or credit or debit card number (with or without any required password, security or access code, or personal identification number).
The WISP must contain administrative, technical and physical safeguards for PI that are “appropriate to (a) the size, scope and type of business . . .; (b) the amount of resources available . . .; (c) the amount of stored data; and (d) the need for security and confidentiality” of the PI. WISP – Required Elements
The elements required in a WISP include:
Designating one or more employees to maintain the program
Identifying and assessing foreseeable internal and external risks to the security, confidentiality or integrity of records
Evaluating and improving safeguards for limiting risks, including employee training and compliance and means for detecting and preventing security failures
Developing security policies regarding storage, access and transportation of records containing PI outside of business premises
Imposing disciplinary measures for violations of security rules
Preventing terminated employees from accessing records containing PI
Regular monitoring of the operation of the WISP
Reviewing security measures annually or whenever a material change in business practices implicates the security or integrity of records containing PI
Documenting responsive actions taken in connection with and security breach incident and conducting post-incident reviews
Selecting sevice providers capable of maintaining appropriate measures to protect PI
Contractually requiring service providers to maintain appropriate security measures (every service provider contract entered into before March 1, 2010 is deemed to comply)
Computer System Requirements
For businesses that electronically store or transmit personal information, the WISP must also include the establishment and maintenance of a computer security system (including any wireless system) that, “at a minimum, and to the extent technically feasible,” contains:
Secure user authentication protocols, including control of user IDs, a "reasonably secure" method of assigning and seleccting passwords (or use of unique identifier technologies), control of data security passwords, restricting access to active users, and blocking access after multiple unsuccessful attempts
Secure access control measures that restrict access to PI to only those who need such information to perform their jobs and that assign unique identification plus passwords that are designed to maintain the security of access controls
Encryption of all transmitted records and files that contain PI and travel across public networks
Encryption of all PI transmitted wirelessly or stored on laptops or other portable devices
Reasonable monitoring of systems for unauthorized use of or access to PI
For files containing PI on a system connected to the Internet, reasonably up-to-date firewall protection and operating system security patches designed to maintain the integrity of the PI
Reasonably up-to-date versions of system security agent software, including malware protection and patches and virus definitions
Education and training of employees on the proper use of the computer security system and the importance of PI security
What is the Penalty for Non-Compliance?
Violators may be subject to a $5,000 civil penalty for each violation. How violations will be counted for purposes of the penalty is unclear. If violations are counted on a per-record basis, businesses with thousands of records containing PI of Massachusetts residents could potentially face fines of millions of dollars.
How Can My Business Comply?
The revised, final regulation is not quite as demanding as earlier versions, but it is still a tough regulation that may require businesses to revise existing – or create new – WISPs. The regulation is also indicative of the direction in which state and federal information security laws are heading. Because of this, even businesses not subject to the regulation may want to consider creating and implementing WISPs that comply with the standards of the Massachusetts regulation.