There are only two weeks left to comply with the new Massachusetts privacy regulations. And before you think that they won't apply to you, think again.
I have written before about the new privacy regulations, which will be the toughest and most aggressive privacy rules in the country. Even though the process has been long and included delays and adjustments, the regs are finally going into effect on March 1st. And you don't have to be in Massachusetts to worry about them; the new rules will apply to anyone - whether based in Massachusetts or not - that holds certain information about Massachusetts residents. As a review, here is what you need to know:
Who is covered?
The new law covers any individual, corporation, association, partnership, or other legal entity that handles a Massachusetts resident's personal information in connection with employment or with the provision of goods or services, as long as that information is not otherwise publicly available. The personal information described here means a Massachusetts resident's name (first name and last name or first initial and last name) in combination with that resident's Social Security number, a driver's license or state ID number, or a financial account or credit card number.
What is required?
Those who are covered must create a comprehensive written information security program (a "WISP") to safeguard the information. The WISP need only be appropriate to the size, scope, and type of operation the person or business is engaging in, the amount of resources available, the amount of the stored data, and the need for security and confidentiality, but that still means that most people will need to make some adjustments. Your WISP must cover:
- Designation of a someone to maintain the WISP.
- Identifying and assessing reasonably foreseeable risks (both internal and external) to the confidentiality of the information whether on paper or electronic, and continually evaluating and improving the effectiveness of the safeguards through employee training and means of detecting and preventing security system failures.
- Developing security policies for the way the information is stored, accessed, and transported outside of business premises, and especially for the way the information is stored or transmitted on computers or wireless systems, including email.
- Imposing disciplinary measures for violations of the WISP rules.
- Taking reasonable steps to ensure that third-party service providers are capable of maintaining similar protections and requiring them by contract to implement and maintain appropriate security measures.
What kind of protection is necessary?
For paper records, you must provide for secure storage of materials containing personal information, such as physical restrictions (e.g storage in locked storage facilities or containers) and limiting access.
For electronic records, the WISP must include, to the extent technically feasible, a system to secure control of user IDs, password selection and control, and restricting access to active users. In addition, all electronic personal information transmitted wirelessly or across a public network, and all personal information stored on a laptop or other portable device must be encrypted. It is important to note that encryption for this purpose does not mean password protection; the regulation requires the information to be transformed into a "form in which meaning cannot be assigned". In other words, the information must be unreadable. Password protection alone does not satisfy the requirement.
Are there standard procedures to follow?
The quick answer is no - each person or company needs to come up with unique procedures and safeguards that are both reasonable and feasible for its specific operation. A large company will necessarily have more detailed procedures than a smaller company, and one industry may be held to a different standard another on a case-by-case basis. Your current procedures may be a good starting point and may, in some cases, already comply with the new requirements. There is ambiguity in the law's use of the terms "technically feasible" and "reasonable" that leave latitude for the specific terms of compliance. Some of these will be clarified over time through lawsuits and enforcement actions, which simply reinforces the need to re-evaluate your program over time.
However, that ambiguity should not be confused with making compliance optional. There are real consequences including lawsuits for breaches and in some cases civil penalties and fines imposed for each violation.
The bottom line is that you need to take this new Massachusetts law seriously, even if you are not in Massachusetts. But you can mitigate the risk by establishing these minimum standards to safeguard the personal information and prevent unauthorized access.
Here are some additional resources for information on the regulations: