By Bruce H. Nielson, K&L Gates Partner, Washington D.C.
What Does the Regulation Require?
Every business that “owns or licenses personal information” about a Massachusetts resident must “develop, implement, and maintain” a comprehensive written information security program (WISP). “Owns or licenses” is defined as “receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.” “Personal information” (PI) means first name (or initial) and last name combined with a Social Security number, driver’s license or state-issued ID card number, or financial account or credit or debit card number (with or without any required password, security or access code, or personal identification number).
The WISP must contain administrative, technical and physical safeguards for PI that are “appropriate to (a) the size, scope and type of business . . .; (b) the amount of resources available . . .; (c) the amount of stored data; and (d) the need for security and confidentiality” of the PI.
WISP – Required Elements
The elements required in a WISP include:
- Designating one or more employees to maintain the program
- Identifying and assessing foreseeable internal and external risks to the security, confidentiality or integrity of records containing PI
- Evaluating and improving safeguards for limiting risks, including employee training and compliance and means for detecting and preventing security failures
- Developing security policies regarding storage, access and transportation of records containing PI outside of business premises
- Imposing disciplinary measures for violations of security rules
- Preventing terminated employees from accessing records containing PI
- Imposing restrictions on physical access to records containing PI
- Regular monitoring of the operation of the WISP
- Reviewing security measures annually or whenever a material change in business practices implicates the security or integrity of records containing PI
- Documenting responsive actions taken in connection with any security breach incident and conducting post-incident reviews
- Selecting service providers capable of maintaining appropriate measures to protect PI
- Contractually requiring service providers to maintain appropriate security measures (every service provider contract entered into before March 1, 2010 is deemed to comply)
Computer System Requirements
For businesses that electronically store or transmit personal information, the WISP must also include the establishment and maintenance of a computer security system (including any wireless system) that, “at a minimum, and to the extent technically feasible,” contains:
- Secure user authentication protocols, including control of user IDs, a “reasonably secure” method of assigning and selecting passwords (or use of unique identifier technologies), control of data security passwords, restricting access to active users, and blocking access after multiple unsuccessful attempts
- Secure access control measures that restrict access to PI to only those who need such information to perform their jobs and that assign unique identifications plus passwords that are designed to maintain the security of access controls
- Encryption of all transmitted records and files that contain PI and travel across public networks
- Encryption of all PI transmitted wirelessly or stored on laptops or other portable devices
- Reasonable monitoring of systems for unauthorized use of or access to PI
- For files containing PI on a system connected to the Internet, reasonably up-to-date firewall protection and operating system security patches designed to maintain the integrity of the PI
- Reasonably up-to-date versions of system security agent software, including malware protection and patches and virus definitions
- Education and training of employees on the proper use of the computer security system and the importance of PI security
What is the Penalty for Non-Compliance?
Violators may be subject to a $5,000 civil penalty for each violation. How violations will be counted for purposes of the penalty is unclear. If violations are counted on a per-record basis, businesses with thousands of records containing PI of Massachusetts residents could potentially face fines of millions of dollars.
How Can My Business Comply?
The revised, final regulation is not quite as demanding as earlier versions, but it is still a tough regulation that may require businesses to revise existing – or create new – WISPs. The regulation is also indicative of the direction in which state and federal information security laws are heading. Because of this, even businesses not subject to the regulation may want to consider creating and implementing WISPs that comply with the standards of the Massachusetts regulation.