Massachusetts Data Security Rules Amended Again - New Effective Date Is March 1, 2010

On August 17, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) issued another revision to the state’s data security rules, set forth in 201 CMR 17.00 (“Rules”). The Rules impose significant requirements on those possessing personal information of state residents, including those based outside Massachusetts. As part of the most recent revision, the effective date of the Rules has been changed to March 1, 2010. OCABR also issued a new list of frequently asked questions (“FAQs”) about the Rules and announced that an additional public hearing on the Rules will be held on September 22, 2009. Since their original release in September 2008, the Rules have been amended twice and their effective date repeatedly has been delayed, as discussed in Goodwin Procter’s September 29, 2008 and February 13, 2009 Client Alerts.

The new version of the Rules and the FAQs:

• Revise the definition of “encrypted” to a more technology-neutral standard. Previously, an algorithmic process or alternative process at least as secure was required.
• Broaden the scope of the Rules to include (in the definition of “owns or licenses”) any person that “otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.”
• Define “service provider” and modify requirements for overseeing them. An entity subject to the Rules is no longer going to be required to take “all reasonable steps” to verify a service provider’s capacity to protect personal information, but is still required to “select and retain third-party service providers that are capable of maintaining appropriate security measures” and to require service providers “by contract to implement and maintain such appropriate security measures.”
• Modify the duty to protect personal information by a comprehensive information security program to allow the administrative, technical and physical safeguards to be “appropriate” to the size, scope and type of business; the amount of resources and data; and the need for security and confidentiality of the data. Previously, the duty was that the safeguards were to “ensure the security and confidentiality.”  This modification is consistent with the Rules’ accompanying press release, which outlines a more risk-based approach.
• Mandate certain computer system security measures only “to the extent technically feasible.”  According to the FAQs, encryption of data may not be required for certain mobile devices such as cell phones, Blackberries and similar devices, as there is no generally accepted encryption technology currently available. However, the FAQs note that technology for the encryption of personal information on laptops is available and cautions that where not technically feasible to encrypt, one should “take appropriate steps to secure and safeguard” the personal information. The FAQs also state that the Rules require encryption of backup tapes on a “prospective basis” and as technically feasible for other circumstances, such as transporting existing backup tapes.
• Eliminate the specific obligations about the collection and retention of, and access to personal information. The Rules also eliminate the requirement to inventory all paper and electronic records to determine which records contain personal information.
• Deem certain existing service provider contracts entered into prior to the effective date of the Rules as in compliance with the Rules.
• Do not further define financial account, but the FAQs state that an insurance policy number qualifies as a “financial account number” if the number “grants access to a person’s finances, or results in an increase of financial burden, or a misappropriation of monies, credit or other assets.”

The FAQs and press release issued with the Rules note that the Rules intend for a risk-based approach to data security and that revisions were made to assist small businesses that do not handle significant amounts of personal information.

*          *          *

Attorneys from Goodwin Procter’s Privacy & Data Security Practice will be addressing in greater detail the requirements of the Rules at the International Association of Privacy Professionals’ Privacy Academy in Boston on September 16 and 17, 2009. Lynne Barr and Agnes Bundy Scanlan will moderate a session with Massachusetts Attorney General Martha Coakley entitled “The New Massachusetts Privacy Law: What Does it Mean for You?” David Goldstone will participate in the session “Massachusetts Data Security Rules: Perspectives from Regulators, Enforcers, Practitioners and Industry.” Jim Shreve will address compliance with federal and state data security breach requirements, including Massachusetts. Registration information is available here.