Massachusetts is enacting a data protection law in response to a significant rise in electronic data breaches. The law affects any company that stores personal information of a Massachusetts resident. The four page law can be read here: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
Companies will be required to develop, implement and maintain a comprehensive information security program that is written and contains administrative, technical and physical safeguards appropriate to safeguard the data.
Every comprehensive information security program shall include:
(1) Administrative Safeguards:
- Designating one or more employees to maintain the comprehensive information security program
- Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations
- Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information
- Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises
- Providing ongoing employee training that educates the employees on the proper use of the computer security system and the importance of personal information security.
- Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.
(2) Technical Safeguards:
- Preventing terminated employees from accessing records containing personal information
- Providing means for detecting and preventing security system failures by regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks
- Implementing secure user authentication protocols including:
- (a) control of user IDs and other identifiers;
- (b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
- (c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
- (d) restricting access to active users and active user accounts only; and
- (e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
- Implementing secure access control measures that:
- (a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
- (b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
- Encryption of all:
- (a) Transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
- (b) Personal information stored on laptops or other portable devices;
- On any system that is connected to the Internet and contains files with personal information on them
- (a) Keeping reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information
- (b) Keeping reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
(3) Physical Safeguards
- Providing reasonable restrictions upon physical access to records containing personal information,and storage of such records and data in locked facilities, storage areas or containers.
Definitions used in the law:
- Breach of security, the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.
- Electronic, relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities.
- Encrypted, the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.
- Owns or licenses, receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.
- Person, a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.
- Personal information, a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
- Record or Records, any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.
- Service provider, any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation.
- Every person who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.