Attempts by States to Control the Internet Are Just Beginning

Last year, new privacy regulations became effective in Massachusetts, which required businesses to take a series of actions whenever they held personal financial information of Massachusetts residents.  The law had far-reaching implications because it could effectively cover businesses that had no other ties to the Commonwealth. Now California is making its own privacy grab by targeting the (somewhat dubious) privacy policies of Facebook and other social networking sites with the proposed "Social Networking Privacy Act".  Anyone who uses Facebook, Google, Twitter, and the like knows that it is difficult to control how your personal information is stored and used - or frankly, what each site's fluid policies even cover at any given time.  This has caused well-documented user confusion and angst, and has led to many privacy breaches.

But California is pushing privacy restrictions to a new level.  The Massachusetts privacy law, for example, regulated mostly back end processes and governed how personal information would be protected by the companies once it was acquired.  The difference here is that California's bill will affect how the companies interact with their California users, from requiring how the companies collect the personal information, to what they can do with it.  The bill would require Facebook and the others to change not only how they collect information from their users, but also what information can be posted by default, and how information can be removed.  One provision gives parents the right to remove information posted by "minors", meaning anyone under the age of 18 (a provision that I am sure would not exactly be popular with high school students).

The bill will likely not make it into law in its current form, partly because of this alliance of powerful opponents.  But it is clear that states are starting to take privacy issues very seriously, and, in the absence of a federal alternative, will still try to take action to protect its citizens.

REMINDER: Massachusetts Privacy Regulations Launch March 1st. Here is what you need to know.

There are only two weeks left to comply with the new Massachusetts privacy regulations.  And before you think that they won't apply to you, think again. I have written before about the new privacy regulations, which will be the toughest and most aggressive privacy rules in the country.  Even though the process has been long and included delays and adjustments, the regs are finally going into effect on March 1st.  And you don't have to be in Massachusetts to worry about them; the new rules will apply to anyone - whether based in Massachusetts or not - that holds certain information about Massachusetts residents.  As a review, here is what you need to know:

Who is covered?

The new law covers any individual, corporation, association, partnership, or other legal entity that handles a Massachusetts resident's personal information in connection with employment or with the provision of goods or services, as long as that information is not otherwise publicly available.  The personal information described here means a Massachusetts resident's name (first name and last name or first initial and last name) in combination with that resident's Social Security number, a driver's license or state ID number, or a financial account or credit card number.

What is required?

Those who are covered must create a comprehensive written information security program (a "WISP") to safeguard the information.  The WISP need only be appropriate to the size, scope, and type of operation the person or business is engaging in, the amount of resources available, the amount of the stored data, and the need for security and confidentiality, but that still means that most people will need to make some adjustments. Your WISP must cover:

  1. Designation of a someone to maintain the WISP.
  2. Identifying and assessing reasonably foreseeable risks (both internal and external) to the confidentiality of the information whether on paper or electronic, and continually evaluating and improving the effectiveness of the safeguards through employee training and means of detecting and preventing security system failures.
  3. Developing security policies for the way the information is stored, accessed, and transported outside of business premises, and especially for the way the information is stored or transmitted on computers or wireless systems, including email.
  4. Imposing disciplinary measures for violations of the WISP rules.
  5. Taking reasonable steps to ensure that third-party service providers are capable of maintaining similar protections and requiring them by contract to implement and maintain appropriate security measures.

What kind of protection is necessary?

For paper records, you must provide for secure storage of materials containing personal information, such as physical restrictions (e.g storage in locked storage facilities or containers) and limiting access.

For electronic records, the WISP must include, to the extent technically feasible, a system to secure control of user IDs, password selection and control, and restricting access to active users.  In addition, all electronic personal information transmitted wirelessly or across a public network, and all personal information stored on a laptop or other portable device must be encrypted.  It is important to note that encryption for this purpose does not mean password protection; the regulation requires the information to be transformed into a "form in which meaning cannot be assigned".  In other words, the information must be unreadable.  Password protection alone does not satisfy the requirement.

Are there standard procedures to follow?

The quick answer is no - each person or company needs to come up with unique procedures and safeguards that are both reasonable and feasible for its specific operation.  A large company will necessarily have more detailed procedures than a smaller company, and one industry may be held to a different standard another on a case-by-case basis.  Your current procedures may be a good starting point and may, in some cases, already comply with the new requirements.  There is ambiguity in the law's use of the terms "technically feasible" and "reasonable" that leave latitude for the specific terms of compliance.  Some of these will be clarified over time through lawsuits and enforcement actions, which simply reinforces the need to re-evaluate your program over time.

However, that ambiguity should not be confused with making compliance optional.  There are real consequences including lawsuits for breaches and in some cases civil penalties and fines imposed for each violation.

The bottom line is that you need to take this new Massachusetts law seriously, even if you are not in Massachusetts.  But you can mitigate the risk by establishing these minimum standards to safeguard the personal information and prevent unauthorized access.

Here are some additional resources for information on the regulations:

Massachusetts Data Privacy Regulations Get Delayed ... Again

For those of you stressing over the changes to personal information policies and procedures required by the pending Massachusetts data security regulations, you can breathe a sigh of relief... sort of.  The deadline for implementing the new policies has been pushed back - for the third time.  Now the new regulations will take effect on March 1, 2010 (rather than in January), and some of the more controversial aspects of the law have been watered down to make the requirements more palatable to small businesses. If you are a business owner who is not aware of the upcoming changes, you need to take a look.  The far-reaching regulations are a response by lawmakers to the highly-publicized security breaches at TJX, The Boston Globe, and others where thousands of social security numbers, credit card numbers, and other personal information were carelessly unsecured.  As described by Mass High Tech:

The Massachusetts regulations, first promulgated last fall based on a legislative directive, will go further than any other state by requiring any company that handles state residents’ sensitive data to take measures to protect it. Measures include encryption and extend to ensuring that all third-party IT service providers adequately protect sensitive data — a clause that drew criticism from business owners as an onerous requirement.

Specifically, the revisions to the data security regulations moderate the specific requirements to make them more consistent with the federal privacy requirements under the Gramm-Leach-Bliley Act.  The new Massachusetts privacy regulations apply to any business - yes, even outside of Massachusetts - engaged in commerce that collects and retains personal information of Massachusetts residents in connection with the provision of goods and services.  While these regulations will apply to all businesses regardless of size, the new revisions make clear that the regulations will apply a risk-based approach based on the size and scope of each business. (i.e., smaller businesses storing small amounts of information will be required to take different actions than would a large company with much more information and resources).

So, what does this mean for you?

If you are a business owner who collects the first name or initial and last name of a Massachusetts resident in combination with that resident's (a) Social Security number, (b) drivers license or state issued identification card number, or (c) financial account number or credit or debit card number, you must comply with the new regulations by March, 2010.  That includes, at a minimum:

  1. creating a comprehensive information security program for safeguarding against "reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity" of the personal information, including employee training and education;
  2. encrypting all data and files containing the personal information to the extent "technically feasible" and maintaining "reasonably up-to-date" firewall protection and operating system security patches; and
  3. taking "reasonable steps" to select and retain third-party service providers that are capable of maintaining appropriate security measures consistent with these regulations and any applicable federal regulations.

The steps that were originally included as required actions are now offered as guidance to comply with the regulations, but whether a company is ultimately in compliance will be determined on a case-by-case basis.  In any event, all businesses should take a look at their data security procedures to make sure they are up to date.

Are you concerned about how the new regulations will affect you?  What do you see as the biggest challenges to comply?