You are here: Home / MA DATA PROTECTION

MA DATA PROTECTION

Massachusetts Data Breach Protection Act Summary

Is Your Business at Risk?
How Changes to the Massachusetts Data Breach Protection Act Will Affect Your Business

Compliance Deadline March 1, 2010

What Is It?

The Data Breach Protection Act refers to the Consumer Affairs and Business Regulation Act 201 CMR 17.00 which implements the provisions of M.G.L. c. 93H. This regulation was updated in response to recent high profile data loss events such as the TJX loss of 45.6 million credit and debit card numbers in 2007 and the Hannaford data breach in 2008. The updated act, which is designed to protect Massachusetts residents from unauthorized releases of personal information and to inform them when such an event has occurred, mandates specific security measures to be taken by any company that stores personal information.

We interpret this as an opportunity for Massachusetts businesses to establish themselves as the protectors of confidential personal information. While we believe this statute places the burden of compliance upon businesses, most of the requirements can be easily implemented. Many companies are already in compliance (or close to complying) and will only be required to make minor adjustments.

While the majority of the recommendations in this update constitute good business practices, the penalties and potential for lawsuits related to any failure to comply with this act effectively raise the stakes for businesses that don’t have a firm grasp on their IT infrastructure. Rather than waiting and risking an audit, fine, or lawsuit, let Total Business review your network and identify any potential vulnerability. Our quick and reasonably priced review will help ensure that you are aware of any potential issues and can take action to resolve them in a timely manner.

What Information Is Protected?

The Personal Information (PI) of any resident of Massachusetts (electronic or on paper) is protected. PI is defined as:

  • A Massachusetts resident’s first and last name or first initial and last name in combination with any one or more of the resident’s:
    - Social Security Number
    - Driver’s license number or State-issued Identification Card number
    - Financial account number (with or without security or access codes)
    - Debit or Credit card number (with or without security or access codes)
  • PI that is excluded is “information that is lawfully obtained from publically available information, or from federal, state, or local government records lawfully made available to the general public.”

Who Must Comply?

“Every person that owns, licenses, stores, or maintains Personal Information (PI) about a resident of the Commonwealth”, including non-Massachusetts businesses must comply with the new law. If you have employees, by definition you store the employee’s PI and therefore are subject to the law. The deadline to be in full compliance is January 1, 2010.

Business Requirements

Required entities must “develop, implement, maintain and monitor a comprehensive, written information security program (the Plan)”. This security program is one of the primary requirements of the act. The Plan must:

  • Designate at least one Data Security Coordinator. The Data Security Coordinator shall be responsible to implement, supervise, and maintain the Plan. This includes:
    - The initial implementation of the Plan
    - Training employees (including part-time, contractors, etc)
    - Regular testing of the Plan’s safeguards
    - Evaluating “the ability of service providers to comply with 201 CMR 17.00 in the handling of personal information for which you are responsible”, ensuring provisions are included in contracts with service providers obligating them to comply with 201 CMR 17.00, and obtaining written certification from service providers that they comply with 201 CMR 17.00
    - Review and revise the plan ANNUALLY or WHENEVER a MATERIAL change in business practices impacting data security has taken place
    - Conduct an ANNUAL training session for: all owners, managers, employees, and independent contractors (including temporary and contract employees) who have access to PI covered by the Plan. Employee Non-Disclosure Agreements are recommended. NOTE: All attendees of training sessions are REQUIRED to certify their attendance and their familiarity with the Plan’s requirements.
  • Impose disciplinary measures for violations of the program rules. NOTE: penalties for non-compliance shall be levied at the discretion of the state.
  • Prevent access by terminated employees with access to PI by IMMEDIATELY “terminating their physical and electronic access to such records, including deactivating their passwords and user names.”

Computer System Security Requirements

At a minimum computer systems must

  • Be protected by secure authentication protocols including:
    - Control of user IDs
    - Secure assignment and selection of passwords
    - Securely store data passwords
    - Limit access only to active users
    - Block access after repeated unsuccessful logon failures
  • Secure access control:
    - Restrict access to PI to ONLY those that need access
    - Assign unique, complex passwords to each user
  • Encrypt PI data that is transmitted across public networks
  • Systems must be monitored for unauthorized access to PI
  • All PI on laptops and other portable devices must be encrypted
  • Systems with Internet access that contain PI must be protected by a firewall and have reasonably up-to-date operating system patches
  • Reasonably up-to-date anti-malware software with regularly updated, current anti-virus definitions must be installed on systems containing PI
  • Employees must be trained on the proper use of computer security systems and on the importance of maintaining the security of PI

Data Destruction Requirements

When disposing of records containing PI (regardless of the storage medium):

  • Paper documents containing PI MUST be “redacted, burned, pulverized, or shredded so that PI cannot practically be read or reconstructed”
  • Electronic media and other non-paper media containing PI MUST be “destroyed or erased so that PI cannot practicably be read or reconstructed”
  • Third parties that handle disposal for you MUST also “implement policies and procedures that prohibit unauthorized access to the PI”

What About Other Standards?

This regulation, while it is the most recent development, is not the only statute which defines explicit standards and penalties related to the security of personal information; the Payment Card Industry (PCI) standard, which applies to any company which holds credit card information, has similar and in some areas overlapping security requirements. These compliance standards can be complex and being aware of which standard applies, and whether or not they apply to your organization is a key business decision. An ongoing relationship with a trusted IT partner will help ensure that you are getting the right advice at the right time to keep your organization in step with the constantly changing regulatory environment.

When Does This All Take Effect?

All parties must be in full compliance with the law by January 1, 2010.

What Constitutes a Breach of Security?

A breach of security with respect to a Massachusetts resident’s PI is determined to have occurred when you:

  • “know or have reason to know of a breach of security”
  • when you know or have reason to know that a resident’s PI was “acquired or used by an unauthorized person or used for an unauthorized purpose”

Breach Notification Requirements

Should a breach of security occur you are required to notify the specific residents of Massachusetts that are affected by the PI that has been compromised, the attorney general, and the director of consumer affairs and business relations “as soon as practicable and without unreasonable delay”. This regulation differs from most other state data breach regulations in effect today in the requirement to notify the attorney general’s office as well as the parties specifically harmed by the data breach. Further, the director of consumer affairs and business relations may notify and require you to notify “relevant consumer reporting agencies or other state agencies”.

If you are only “maintaining or storing” the PI for another business, your notification requirements are slightly different and you should review the specific regulations covering notification (see Links section below).

Penalties

The enforcement for non-compliance rests with the Attorney General under M.G.L. c. 93A, which carries a civil penalty of not more than $5,000 per violation, may require payment of the reasonable costs of investigation, litigation, and attorney’s fees. In addition, private civil lawsuits could also be available to individuals suffering from a breach.

Links

Total Business Group, LLC
www.totalbz.com
Allen J. Margulis, PC
www.totalcounselor.com
Official website of the Office of Consumer Affairs and Business Regulations (OCABR):
www.mass.gov/?pageID=ocatopic&L=3&L0=Home&L1=Business&L2=Identity+Theft&sid=Eoca
Mass. OCABR official FAQ for regulation 201 CMR 17.00:
www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf
OCABR Compliance implementation checklist:
www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf
Official requirements for security breach notifications under Chapter 93H:
www.mass.gov/?pageID=ocaterminal&L=3&L0=Home&L1=Business&L2=Identity+Theft&sid=Eoca&b=terminalcontent&f=idtheft_notification_reqs&csid=Eoca
Massachusetts General Law Chapter 93H Security Breaches Table of Contents:
www.mass.gov/legis/laws/mgl/gl-93h-toc.htm
MGL c.93A Section 4: Penalties linked to the law
www.mass.gov/legis/laws/mgl/93a-4.htm
Revised MA Data Breach Law: 2/12/2009 update
www.mass.gov/?pageID=ocapressrelease&L=1&L0=Home&sid=Eoca&b=pressrelease&f=20090212_idtheft&csid=Eoca

Who We Are

Total Business Group, LLC:

Total Business specializes in providing quality Information Technology and Web support to small to medium sized businesses. Our highly trained, experienced engineers are well equipped to help you plan, estimate, design, execute, implement, and support your network, computer, IT, and Web systems. We can design your new network, seamlessly upgrade your existing computers and IT systems, integrate new offices, create your online presence, and provide ongoing, trouble-free support of all your computer and Web services. Our technical staff is there when you need us 24/7. We aim to make your Information Technology and Web investment a simple, reliable, and cost-effective enhancement to your bottom-line profitability.

Allen J. Margulis, PC:

Allen J. Margulis, PC is a business, tax and estate planning law firm located in Natick, MA. The services provided by the firm truly embody the concept of “Total Counseling”. The firm objective revolves around assisting clients in their individual, family and business lives. For many, these realms overlap and professional attention is needed to ensure benefits from those endeavors. Needs are always changing as families and businesses evolve and the firm aims to help clients plan for those inevitable changes in an attempt to smooth a clear path into future.

In the business and corporate realm, Allen J. Margulis, PC represents a wide spectrum of clients. The firm can assist at any and all stages in the lifespan of a business; from conceptualization and implementation, to tax services and annual filings, to dissolution. Because we are a law firm, Allen J. Margulis, PC remains apprised of current business legal code and tax code changes and works closely with our clients to ensure that they benefit from our knowledge and expertise. The firm also hosts classes, workshops and special events to educate our clients and their business associates in a collaborative approach to their success.

This publication, which may be considered advertising under the ethical rules of certain jurisdictions, is provided with the understanding that it does not constitute the rendering of legal advice or other professional advise by Total Business Group, LLC or Allen J. Margulis, PC. Additionally, the foregoing discussion does not constitute tax advice. Any discussion of tax matters contained herein is not intended or written to be used, and cannot be used, for the purpose of avoiding penalties under the Internal Revenue Code or promoting, marketing or recommending to another party any transaction or matter.