Massachusetts has joined other states, including California, Texas, New York, Oregon, and Maryland, to enact legislation that protects the privacy of personal information. Protected information includes the name of state residents in combination with their social security number, drivers’ license number, state identification number, or financial account, debit or credit card number combined with any required access code or password that would permit access to the account. The regulations apply to any businesses or individuals that own, license, store or maintain personal information about a state resident. This includes any businesses or individuals without a physical presence in Massachusetts, but in possession of personal information of any state resident.
The regulations establish minimum standards for protecting and storing personal information about state residents contained in paper or electronic format. Covered businesses or individuals must develop, implement, maintain and monitor a comprehensive information security program that applies to any records containing personal information. The program must be in writing, be reasonably consistent with industry standards, and include administrative, technical and physical safeguards.
Safeguards must include:
-
Designation of one or more employees to maintain the program.
-
Regular risk assessments to gauge risks to the security, confidentiality, and/or integrity of any records containing personal information.
-
Security policies that cover whether and how employees should be allowed to keep, access and transport records containing personal information outside of business premises.
-
Disciplinary action against employees who violate the program.
-
Ensuring terminated employees no longer have access to personal information.
-
Verifying that outside vendors with access to personal information have the capacity to protect that information, and obtaining written verification of a compliant comprehensive information security program from external vendors before providing vendor access to personal information.
-
Collecting, retaining and providing access to personal information only to the extent it is reasonably necessary to accomplish the purpose for which it was collected, retained or accessed, or as necessary to comply with federal or state record retention requirements.
-
Identification of paper, electronic and other records, computing systems and storage media that contain personal information, unless all records are protected under a comprehensive information security program as if they contain personal information.
-
Imposing reasonable restrictions on physical access to records containing personal information, including a written procedure that sets forth how access is restricted.
-
Monitoring the program to ensure it is operating as intended and making adjustments as appropriate.
-
Assessing the safeguards at least annually or whenever there is a material change in business practices that may affect the security or integrity of the records.
-
Documenting steps to take to respond to a security breach.
Businesses or individuals who electronically store or transmit personal information must also establish and maintain a security system covering its computers, including any wireless systems, and this must form part of the written, comprehensive information security program. The system must have the ability to authenticate users and restrict access. Personal information transmitted across personal networks and wirelessly, as well as information stored on laptops and portable devices, must be encrypted.
Deadlines for compliance are as follows:
General compliance deadline is May 1, 2009.
Deadline for ensuring that third-party service providers are capable of protecting personal information and contractually binding them to do so is May 1, 2009.
Deadline for requiring written certification from third-party service providers is January 1, 2010.
Deadline for ensuring encryption of laptops is May 1, 2009.
Deadline for ensuring encryption of other portable devices is January 1, 2010.
The Massachusetts Office of Consumer Affairs and Business Regulation has issued a guide to help small businesses formulate a comprehensive written information security program as well as a compliance checklist to assist businesses and individuals in their efforts to comply with this legislation. These documents are available here:
Massachusetts Small Business Guide
Massachusetts Compliance Checklist
