Data Security Regulation 2.0, Part 2: Massachusetts Has Written Your Information Security Program

This is the second installment of Andrew M. Baer’s coverage of new, more assertive type of data security regulation that has huge implications for businesses operating online. Call it Data Security Regulation 2.0.

Massachusetts Has Written Your Information Security Program

Unlike the Nevada law (see Part 1), which is relatively brief and narrowly focused on the encryption of electronically transmitted data, Massachusetts’ new data security regulation, 201 CMR §17.00(pdf), is extremely sweeping and eliminates much private discretion in the realm of information security by imposing comprehensive, detailed operational requirements for business activities that touch personal information. Having had the privilege (or misfortune, depending on your view of current events) of serving as bank counsel for many years, I have grown accustomed to requirements like these being enforced by federal and state regulators. (Indeed, I once had a wonderful bonding moment with FDIC examiners as I was describing my client’s highly conscientious program for monitoring its vendors’ safeguards around customer information.) However, many companies are in unregulated industries, and for smaller businesses this type of government intrusion may come as a nasty shock. Simply put, from the standpoint of the Commonwealth of Massachusetts, we are all banks now.

Issued by the Office of Consumer Affairs and Business Regulation under authority granted by the state’s identity theft law, the regulation was initially set to go into effect on January 1, 2009. However, complaints from business groups and the deflating economy convinced the Commonwealth to postpone implementation and scale back some of the more onerous requirements. The amended regulation was finalized on February 12, 2009 and now mandates compliance by January 1, 2010. Despite some smoothing at the edges, it is still a remarkably activist bit of policymaking. All philosophical and ideological objections aside, 201 CMR §17.00 should be studied closely by CIO’s and corporate counsel, not only to stay on the Commonwealth’s good side, but also because the regulation is basically a primer for writing an information security program and may well provide a model for future federal data security legislation.

Under the law “[e]very person that owns, licenses, stores or maintains personal information” about a Massachusetts resident must “develop, implement, maintain and monitor” a comprehensive written information security program, which must be “reasonably consistent with industry standards” and also must incorporate a sizeable laundry list of specific security measures. The definition of “personal information” is more expansive than in the Nevada statute, covering the same categories of information (name and Social Security or driver’s license number, etc.), but also a name combined with a credit or debit card or other financial account number with or without any required code or password that would permit access to the account.

Information security programs will be assessed for compliance based on a sliding scale, taking into account the size, scope and type of the business, the available resources, and the amount and sensitivity of stored customer and employee data. However, at a bare minimum, each program must include such measures as designation of an employee to maintain it, security failure detection systems, employee training, employee security policies, disciplinary action for violators, immediate termination of terminated employees’ access to personal information (including immediate deactivation of passwords and user names), limitation of access to personal information to those who have a need to know, limitation of information collection and retention by legitimate business need, initial and ongoing due diligence review of third-party vendors with access to personal information to verify their compliance with 201 CMR §17.00, physical access controls (including locking of facilities), regular monitoring and upgrading of safeguards, review of security measures at least annually (sooner if there is a material change in business practices), and review and documenting of security incidents and any responsive or remedial action taken.

These program requirements apply to personal information whether it exists in electronic or paper form. However, businesses which electronically store or transmit personal information must incorporate additional computer and wireless system requirements in their information security programs. These include secure user authentication protocols and access control measures, such as unique user IDs and passwords and safe methods of assigning and controlling the same, system monitoring, “reasonably up-to-date” anti-virus, malware and firewall protection together with ongoing application of security patches for these and the operating system, and employee computer security training. For a regulated financial institution or a publicly traded company subject to the Sarbanes-Oxley rules, the security measures mentioned so far are already standard business practice; smaller or more entrepreneurial companies, however, may have difficulty with the regulation’s insistence on formal written procedures and documentation.

What is unusual about the Massachusetts regulation is its explicit emphasis on encryption, which sets it apart from the federal banking regulations. To the extent technically feasible, a business must encrypt all records and files containing personal information transmitted over public networks or wirelessly. Additionally, all personal information stored on laptops or other portable devices must be encrypted. Encryption is defined much more rigorously than in the Nevada statute, as “the transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key.” An earlier version of the regulation required 128-bit or equivalent encryption. Although this was dropped businesses are advised to steer clear of weak forms of encryption, since any use of security measures that are clearly insufficient in light of known risks or are disfavored in the industry will run afoul of the regulation’s other requirements.

The encryption requirement is far-reaching, as it covers not only the transmission of personal information (as the Nevada law does) but also its storage on laptops, smart phones, flash or USB drives, and other media. Frequently an employee will transfer information from an office terminal to one of these devices in order to work from home or in a mobile setting. If the device is subsequently lost or improperly accessed, the employer will be liable if there is no encryption. Therefore, businesses with customers or employees in Massachusetts must specifically address the storage of information on portable devices in their information security programs and employee training. My advice here is either to prohibit such activities since employees with a legitimate need can easily be provided with secure remote access to data stored on work systems, access that should not include the ability to download the data,) or allow transfer of personal information only to devices specially provided by the employer that contain suitable access controls as well as industry-standard encryption.

Violations of 201 CMR §17.00 carry stiff penalties. The Massachusetts attorney-general is empowered to bring enforcement actions to recover up to $5000 per violation, attorneys’ fees and restitution for losses suffered by consumers, as well as obtain injunctive relief. In addition, as mentioned previously, any failure to comply with the requirements will be gleefully used by a plaintiff’s attorney to build a negligence case based on breach of a statutory standard of care.

Desperately Seeking Preemption?

The new laws in Nevada and Massachusetts are surely the harbinger of things to come. More and more states are considering assertive, top-down regulation of information security practices, and the profusion of different standards in various states will make it difficult and costly to comply with them all. The different encryption requirements in Massachusetts and Nevada illustrate this problem. Businesses would benefit from the enactment of a single, federal data security law that would preempt state laws covering the same subject matter. Until this happens, all businesses receiving personal information from a nationwide market should develop and implement, if they are not already required to do so by federal regulations, a written information security program that includes encryption and complies with the strictest state regulatory regime (as of this moment, Massachusetts).

Data Security Regulation 2.0 is not limited to banks and large corporations, but encompasses millions of businesses that collect customer information online. These businesses will have to get a lot more sophisticated very quickly. The perplexed are strongly urged to consult counsel and information security professionals to decrypt the new regulatory landscape.
——————
Andrew Baer is the founder of Baer Business Law, LLC, a Philadelphia firm focusing on e-commerce, business and technology law.