With reports of data breaches continuing to make the news and consumers becoming increasingly concerned about the security of their personal information, a small but growing number of states have begun to enact measures that go beyond requiring notification of individuals affected by data security breaches. In the wake of the massive TJX data security breach, Massachusetts became one of those states when its Office of Consumer Affairs and Business Regulation released new rules this week ordering any business with Massachusetts residents’ personal information to better protect that information.
The regulations have broad coverage, applying to all entities that own, license, store or maintain personal information about residents of the Commonwealth of Massachusetts, regardless of whether or not the entity has operations in the Commonwealth. Federally regulated financial and other entities are not exempt from the Massachusetts regulations, raising the question of whether entities that are in compliance with Gramm-Leach-Bliley, HIPAA and/or SEC information security requirements will be considered to meet the new Massachusetts requirements. Significantly, “personal information” has a somewhat limited scope, and is defined as a resident’s first and last name or first initial and last name in combination with a Social Security number, driver’s license number or financial account number. The regulations impose two principal requirements: (i) the duty to develop, implement and maintain a very comprehensive written information security program that meets very specific requirements; and (ii) the obligation to meet specific computer information security requirements.
The regulations are more specific than any state’s data security regulations to date, and require all companies that handle personal information to encrypt data stored on laptops, monitor employee access to data and take other steps to protect customer information. The regulations intrude into and micro-manage companies’ data security programs to a far greater extent than any other state has. For example, the regulations dictate conduct in vendor and employee relationships, including limiting employees with access to sensitive information to those who need access to do their jobs. The regulations also force an entity to identify every record (whether paper or electronic) that has personal information, and compel specific electronic security measures, including for wireless networks. They also require entities to obtain written certifications from service providers that will be provided with personal information before those vendors start their work. For most organizations, the regulations will require major changes. The new regulations become effective January 1, 2009, providing little time for ramp-up.
Information Security Program Requirements
People and entities subject to the regulations must develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing personal information. The information security program must be reasonably consistent with industry standards. It must also contain administrative, technical and physical safeguards to ensure the security and confidentiality of such records.
The regulations specify that the safeguards contained in the information security program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations to which the person or entity who owns, licenses, stores or maintains such information is subject. The regulations specify the following factors to be taken into account when determining whether a program is in compliance: (i) the size, scope and type of business of the entity or person obligated to safeguard the personal information under such comprehensive information security program, (ii) the amount of resources available to such entity or person, (iii) the amount of stored data, and (iv) the need for security and confidentiality of both consumer and employee information.
While the measure calls for consistency with applicable federal regulations, the regulations include some items that overlap with the FTC Safeguards Rule, the HIPAA Security Rule and other federal agency guidance, but they also go far beyond what is currently required under federal law. Entities covered by the new regulations must have an information security program that requires the entity to:
- Designate Responsible Employees. Designate one or more employees to maintain the comprehensive information security program.
- Identify Risks and Assess Safeguards. Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality and/or integrity of any electronic, paper or other records containing personal information, and evaluate and improve, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to: (i) ongoing employee (including temporary and contract employee) training; (ii) employee compliance with policies and procedures; and (iii) means for detecting and preventing security system failures.
- Develop Employee Security Policies. Develop security policies for employees that take into account whether and how employees should be allowed to keep, access and transport records containing personal information outside of business premises.
- Impose Disciplinary Measures. Impose disciplinary measures for violations of the comprehensive information security program rules.
- Prevent Access to Personal Information by Former Employees. Prevent terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names.
- Exercise Control Over Service Providers. Take reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information, including by (i) selecting and retaining service providers that are capable of maintaining safeguards for personal information; and (ii) contractually requiring service providers to maintain such safeguards. Prior to permitting third-party service providers access to personal information, the person permitting such access shall obtain from the third-party service provider a written certification that such service provider has a written, comprehensive information security program that is in compliance with the provisions of these regulations.
- Place Appropriate Limits on the Collection and Use of Personal Information. Limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected; limit the time such information is retained to that reasonably necessary to accomplish such purpose; and limit access to those persons who are reasonably required to know such information in order to accomplish such purpose or to comply with state or federal record retention requirements.
- Identify Records with Personal Information. Identify paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to determine which records contain personal information, except where the comprehensive information security program provides for the handling of all records as if they all contained personal information.
- Restrict Physical Access. Implement reasonable restrictions on physical access to records containing personal information, including a written procedure that sets forth the manner in which physical access to such records is restricted; store such records and data in locked facilities, storage areas or containers.
- Conduct Regular Monitoring. Conduct regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrade information safeguards as necessary to limit risks.
- Conduct Annual Reviews. Review the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
- For Breaches, Document Responsive Actions. When a breach incident occurs, document responsive actions taken, conduct a mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.
Computer System Security Requirements
In addition to the requirements to implement a detailed information security program the new regulations also mandate specific computer system security requirements. For now, Massachusetts defines encryption in the regulations as a method “at least as secure” as one that transforms data “into a form in which meaning cannot be assigned without the use of a confidential process or key,” unless the state updates the definition. Each covered party must establish and maintain a security system, covering all of its computers (including any wireless system), which, at a minimum, has the following elements:
- Secure user authentication protocols including:
control of user IDs and other identifiers;
a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
restricting access to active users and active user accounts only; and
blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
- Secure access control measure:
restricting access to records and files containing personal information to those who need such information to perform their job duties; and
assigning unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
- Encryption requirement in transmission: To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly;
- Reasonable monitoring of systems: Monitoring for unauthorized use of or access to personal information;
- Encryption requirement in stored information: Encryption of all personal information stored on laptops or other portable devices;
- Firewall protection: For files containing personal information on a system that is connected to the Internet, the system must have reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information;
- Malware and virus protection: The system must have reasonably up-to-date versions of system security agent software, which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis;
- Education and training: Each covered entity must train employees on the proper use of the computer security system and the importance of personal information security.
Given the very specific requirements of the new regulations and the tight compliance deadline, all businesses that that own, license, store or maintain Massachusetts residents’ personal information should commence a review of their current security policies and procedures to determine whether they are and will be in compliance as of the January 1, 2009 effective date.
The New Trend?
It is unlikely that this intrusive regulation is the last we will see of such state requirements. Just as data security breach notification laws rolled across the country from state to state beginning in California, we may see a new trend in state laws mandating encryption and other specific data security requirements. In fact, in Nevada, a measure mandating encryption becomes effective October 1, 2008, and similar measures are being considered in Washington and Michigan. As federal bills have stalled in favor of other pressing matters, the Massachusetts regulations and others that may follow could ultimately prompt Congress to act to pre-empt such state-by-state requirements. Until then, entities with multistate operations and/or that collect data from individuals located in other states will need to remain vigilant about ensuring compliance with emerging state requirements.