In response to questions from the Investment Company Institute, a trade organization for the mutual fund industry, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) provided some responses in an effort to clarify certain information in the Massachusetts data security regulations, most provisions of which go into effect May 1, 2009. As the regulators have made clear in verbal presentations, the responses say that the security standards promulgated are to be seen as a “minimum,” and entities are free to use their own written information security programs in lieu of the small business guide put out by the state, as long as the customized security program or best practices meet at least these minimum standards. One helpful clarification is OCABR’s indication that particular suggested vendor certification language that certified compliance “to the best of our reasonable knowledge and belief” would be compliant. On encryption and the question of whether state-of-the-art technology may be a better alternative to encryption, e.g., a “kill pill” that disables a device, the OCABR emphasized that the effectiveness of the protection matters more than the novelty of the technology.
In the responses, the OCABR deferred to the Attorney General’s office all questions involving enforcement, and chose not to clarify here whether an entity has an obligation, for example, to determine the state of residency of a person about whom one retains data if the data held does not identify their state of residence. Similarly, for those industries where there are not “industry standards” promulgated by any regulator as to data security, the OCABR would not say to what standards an entity should look to determine if its data security is “reasonably consistent with industry standards.” In the absence of any guidance on enforcement, it appears likely that enforcement by the AG would be triggered when a breach occurs and the requisite filing is made with the AG’s office, assuming an investigation is conducted by the AG at that point.
The regulators also deflected many of the questions in favor of the statutory wording, for example, for the definitions of terms such as “financial account” and “personal information.” In sum, the OCABR’s responses underscore the state’s intent to create a higher bar in data security regulation. At the same time, the responses indicate that OCABR chose not to address some of the industry’s widespread concerns, including the scope of information requiring protection and which parties are third-party service providers that trigger the regulations’ contractual and certification requirements, as well as what precisely will constitute a portable device requiring encryption, among other issues.
* * * * * *
Goodwin Procter Webinar on Massachusetts Data Security RegulationsGoodwin Procter invites you to attend a free webinar on the new Massachusetts Data Security Regulations, which apply to any business in possession of personal information of Massachusetts residents, whether or not that business maintains a presence in the state, and are scheduled to go into effect on May 1, 2009. The webinar will be held on January 15, 2009 from 12:30-2:00 EST. This webinar will address the practical implications of these regulations for businesses nationwide. Attorneys from Goodwin Procter’s Privacy & Cybersecurity Practice will examine the scope and requirements of the new rules; analyze the interrelationship between the Massachusetts rules and other information security requirements; explore best practices for information security policy development and implementation; and share views on current trends in this area, including other states that may be considering similar legislation.