Massachusetts Data Security Regulation Compliance

March 15, 2010

The Massachusetts data security regulation compliance deadline was March 1, 2010. Are you in compliance?

TJX, the parent company of T.J. Maxx and Marshalls, disclosed that hackers had accessed customer data from its computer system, exposing millions of credit cards and debit cards to possible fraud. This breach of security has cost TJX millions of dollars to date in settling the fall-out there from. As result of this breach, the Massachusetts legislature enacted legislation in an attempt to prevent identity theft. New Massachusetts Data Security Regulations issued by the Massachusetts Office of Consumer Affairs & Business have  just became effective on March 1, 2010

The Regulations (i.e. 201 CMR 17.00) are available online at http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf. The purpose of this regulation is protect the personal information of residents of Massachusetts so as to prevent identify theft. Under this new regulation, all persons or entities holding personal information about Massachusetts residents must (1) develop a Comprehensive Written Security Plan (“Security Plan”)  and appoint an employee to manage it and enforce violations, (2) implement firewalls and encrypt information in transit and on portable devices, and (3) train employees on information security.

The regulation applies to all persons or entities that own, license, store or maintain personal information about a resident of Massachusetts. In particular, this new regulation will have a significant impact upon the receipt and storage of personal information held by property management companies, closely held companies, condominium boards, realtors, and any other business that frequently handles personal information of residents of Massachusetts. In addition to the damage to a company’s good will, the potential costs of not complying with the Regulations can include the attorney general seeking an injunction against a company in violation of the injunction. In addition, if the court finds that the Regulations were violated, it may impose civil penalties of up to $5,000.00 per violation, as well as court costs and attorneys fees. If you have not complied with the Regulation, your company is exposing itself to potential liability and it should make it of the highest priority to comply with the Regulations.

Goldman & Pease has developed detailed Security Plans that can be crafted to address the particular needs of businesses across all industries. This article is meant to provide a brief overview of these new regulations, and to give businesses a general idea of the new Security Plan requirement.

Depending on the type, size, and scope of the individual business, each Security Plan should have an objective. Generally speaking, the objective of each plan should be to create effective administrative, technical and physical safeguards for the protection of personal information for the residents of the Commonwealth of Massachusetts. The new regulation defines “personal information” as a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following that relate to such resident: (1) social security number; (2) driver’s license number or state-issued identification card number; or (3) financial account number, or credit or debit card number, with our without any security code, access code, personal identification number or password, that would permit access to a resident’s financial account.

The scope of each business’ Security Plan will generally depend upon the type and size of the individual business. In crafting such a plan each business should (1) identify reasonably foreseeable internal and external risks to the security, confidentiality and/or integrity of any electronic, paper or other records containing personal information; (2) assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of the personal information; (3) evaluate the sufficiency of existing policies, procedures, customer information systems, and other safeguards in place to minimize those risk; (4) design and implement a plan that puts safeguards in place to minimize those risks; and (5) regularly monitor the effectiveness of those safeguards.

After understanding the scope of each business’ individual Security Plan, each business should designate an employee to implement, supervise and maintain the Plan. This designated employee shall be responsible for initial implementation of the plan, training employees, regular testing of the plan’s safeguards, and evaluating the ability of service providers to implement their own Security Plan.

There are two main areas each Security Plan must address:

1.   internal risks; and

2.   external risks.

To address internal risks to personal information security, every business should take the following measures as soon as reasonably possible:

1.   A copy of the Plan must be distributed to each employee, who shall, upon receipt of the Plan, acknowledge in writing that he/she has received a copy of the Plan.

2.   Employment contracts must be amended to comply with the provisions of the Plan, and to prohibit any nonconforming use of personal information during or after employment; with mandatory disciplinary action to be taken for violation of security provisions in the Plan.

3.   The amount of personal information collected must be limited to that amount reasonably necessary to accomplish legitimate business purposes or to comply with state or federal regulations.

4.   Access to records containing personal information shall be limited to those persons who are reasonably required to know such information.

5.   Electronic access to user identification after multiple unsuccessful attempts to gain access must be blocked.

6.   Terminated employees must return all records containing personal information, in any form, that may at the time of the termination be in the former employee’s possession.

7.   A terminated employee’s physical and electronic access to personal information must be immediately blocked.

8.   Current employees’ user-IDs and passwords should be changed periodically.

9.   Employees are encouraged to report any suspicious or unauthorized use of any customer information.

10.   At the end of the work day, all files and other records containing personal information must be secured in a manner consistent with the Plan’s rules for protecting the security of personal information.

To address external risks to personal information security, every business should take the following measures as soon as reasonably possible:

1.   There must be reasonably up-to-date firewall protection and operating system security patches reasonably designed to maintain the integrity of personal information.

2.   There must be reasonably up-to-date versions of system security agent software.

3.   To the extent technically feasible, all personal information stored on laptops or other portable devices must be encrypted.

4.   All computer systems must be monitored for unauthorized use of or access to personal information.

5.   There must be secure user authentication protocols in place, including protocols for control of user IDs, a reasonably secure method of assigning and selecting passwords, control of data security passwords to ensure that such passwords are kept in a secure location, restriction of access to active users and active user accounts, and blocking of access to user identification after multiple unsuccessful attempts to gain access.

Despite the complexities that this Security Plan regulation requires, the scope of each business’ Security Plan will vary depending on its resources, and the type of personal information it is storing or maintaining. Given the Security Plan Requirements to safeguard personnel data from identity theft, Goldman & Pease has developed detailed Security Plans that can be crafted to address the particular needs of businesses across all industries.