Mass. Privacy Law: Are You Compliant?It is Now Time for Covered Entities to Step up Data Protection
"Yes," is the answer from some industry analysts. But how the new law will be enforced - that's the real question.
"Expect the deadline to hold," says John Ottman, CEO of Application Security, Inc. "[But] will auditors start knocking on doors asking for a WISP (written information security program) and looking to test systems?"
The New Privacy Standard
The new law, Massachusetts identity theft regulations, 201 Code of Massachusetts Regulations 17.00, applies to any individual, company or organization that handles personal information in connection with employment or the sale of goods or services. Under the law, Massachusetts will require any entity that stores or transmits residents' personal information to encrypt the data when it's stored on portable devices or transmitted via the Internet. The personal information is a combination of customers' or employees' names and their Social Security, bank account or credit card numbers. The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) says it is trying to create a culture of security around personal information.
The law's compliance date was pushed back last August to the March 1 date. The new regulation also requires businesses to take a "risk-based" approach and develop written security plans that take into account their size, the nature of their business, the types of records that they maintain and the risk of identity theft.
The OCABR states it has made presentations about the regulations to representatives from more than 1,000 businesses and organizations across the state. It also has an online guide to help smaller businesses setting up information security programs. It also has a compliance checklist and a FAQ on the law's requirements.
The state's goal is to stop data breaches that in the last two years exposed the personal information of more than 1.05 million people in Massachusetts. Of the 807 breaches reported to the state through last October, 495 resulted from criminal or other unauthorized acts such as the theft of laptop computers or outside hacking into unencrypted databases, while the remainder fell to improper employee handling of personal information - from transporting sensitive information to mailing the wrong document.
What to Expect
The new regulation represents a significant change in the compliance world for companies that aren't in regulated industries, says Deborah Birnbach, an attorney at Boston-based law firm Goodwin Procter.
She sees a significant ramp up for businesses other than financial services and healthcare companies. "The business community is doing its best to comply," Birnbach says. "For those entities who have been subject to regulations under Gramm-Leach-Bliley and other regulatory schemes, these changes are not as significant. For unregulated businesses, the changes are more substantial."
Goodwin Procter is talking to many clients who have been preparing for these regulations for some time, and have modified their existing policies and procedures to meet the very detailed requirements that Massachusetts has put in place. "In essence, Massachusetts has become the common denominators of various jurisdictions for setting compliance standards," she says. "By that, I mean that businesses are assuming that if they meet Massachusetts standards, they are in good shape."
People are complying by putting in place or updating their written information security plans and by documenting all the diligence they do on service providers who receive personal information. Businesses are also reviewing their service provider agreements to see if amendments will be necessary to existing agreements. Finally, people are reviewing their incident response plans and updating them as necessary.
Birnbach says it's unlikely that the state Attorney General's Office, which is in charge of enforcing the new regulation, has enough resources to proactively monitor compliance, but will instead depend on the required data breach notifications made to the attorney general's office.
"In Massachusetts, like certain other states, in addition to notifying consumers that their information has been accessed in a breach, there is an obligation to notify the attorney general's office," Birnbach says. "I would expect that those notices to be a starting point to investigation and enforcement."