Massachusetts Data Security Regulations (M.G.L. c. 93H) Effective March 1, 2010 The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) announced that it filed final data security regulations on November 4, 2009 that will take effect on March 1, 2010. The regulations establish minimum standards in connection with the safeguarding of personal information contained in paper and electronic records.     What is considered “Personal Information”? “Personal information” is defined as a Massachusetts resident’s first name and last name, or first initial and last name, combined with one of the following: (a) Social Security number, (b) driver’s license number or state-issued identification card number, or (c) financial account, credit card or debit card number. What businesses are subject to this new regulation? These regulations set forth the standards to be met by businesses or persons that own or license “personal information” of any Massachusetts resident. Under M.G.L. c. 93H, any person or entity that owns or licenses a Massachusetts resident’s “personal information” must implement safeguards in order to protect such information.   A business  “owns or licenses” personal information if it “receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.” When working with a 3rd party service provider who has access to personal information through its provision of services to a person or entity subject to the regulations, it is important that those businesses covered by the regulations have contracts with such 3rd party service providers to ensure implementation and maintenance of appropriate security measures.    Please note, however, that existing contracts with 3rd party service providers are not required to be updated before March 1, 2012; provided, however, that any new or renewal contracts executed after March 1, 2010 must include these provisions. Data Security Requirements To the extent “technically feasible”, under the regulations, businesses are required to protect electronically stored and transmitted information through the use of an electronic security system which provides for requiring secure user authentication protocols (such as control of user IDs and a secure method of assigning passwords); secure access control measures to restrict access to personal information; and encryption of transmitted records and personal information stored on laptops or other portable devices. The “technically feasible” standard is intended to be a risk-based approach to information security, similar to the approach adopted in the FTC’s Safeguards Rule for financial institutions implemented pursuant to the Gramm-Leach-Biley Act. This standard takes into account the evolving nature of technology and the particular business’ size, resources, and nature and quantity of data collected or stored. Under this risk-based approach, a small business with little personal information beyond its employees’ personnel files will not have the same compliance obligations as a large corporation with personal information of thousands of customers and employees. What Should Covered Businesses Do? 1.     Work with legal counsel, their in-house IT department and, in some cases, outside technology consultants to create a roadmap of issues to be addressed in order to ensure compliance by the March 1, 2010 deadline 2.     Identify the location of all personal information possessed by the business, in both hard copy and electronic form. 3.     Identify all internal and external security threats to personal information 4.     Prior to March 1, 2010, ensure that the written information security plan and computer security protocols are in place create and implement a written comprehensive information security program which, among other things, must: ·         Identify and assess all reasonably foreseeable internal and external risks to the security, confidentiality and/or integrity of any record (electronic or paper) that contains personal information; ·         Evaluate and improve, where necessary, the effectiveness of current safeguards to limit identified risks, including the introduction of employee training and means for detecting and preventing security system failures; ·         Develop security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises; ·         Impose disciplinary measures for violations of the comprehensive security program rules; and ·         Prevent terminated employees from accessing records that contain personal information.   5.     Begin the process of ensuring that safeguards are in place to minimize the risks posed by these threats. What is a “security breach”? What must a Covered Business do in the event of a breach? For purposes of the regulations, a security breach is “…the unauthorized acquisition or unauthorized use of unencrypted data or encrypted data and the confidential process or key that is capable of compromising the security, confidentiality or integrity of personal information.” Since 2007 there has been and will continue to be an obligation to notify the Massachusetts Attorney General and OCABR in the event a covered business knows or has reason to know that a security breach has occurred. For more information or to request assistance with compliance with the new regulations, please contact us at info@perinihegartypc.com or 617-217-2832.

Client Focus. Global Vision. TM