The New

Standard
M a s s a c h u s e t t s ’
s w e e p i n g n e w d a t a
p r o t e c t i o n r u l e s

Joe Laferrera
Gesmer Updegrove LLP
March 2009
Massachusetts’ Law:
Chapter 93H

Effective October 2007

Notification in event of data breach
Consistent with other states’ laws
Reactive
 Data Breach
Notification Laws
 Massachusetts’
Regulations:
201 CMR 17.00
Issued October 2008
Plan to secure and protect residents’
personal information
Broader than anything else in the
country
Proactive
 Overview
If regs apply:
must protect Personal Information
must have written information
security plan (WISP) detailing
policies and procedures
must have designee(s) responsible
for protecting Personal Information
Massachusetts-type
Regulations
 Who’s Covered
Partner- Non- Educ.
Person Corp. Assoc.
ship profit Inst.
which

owns stores licenses maintains

any

personal information about a Massachusetts resident

 Personal
Information
Massachusetts residents’ name +
Social Security number
Driver’s license or State ID
number
Credit card or debit card number
Financial account number
Territorial Reach
Essentially all Massachusetts businesses
Retailers nationwide who accept credit
cards
Third-party service providers
nationwide that touch Massachusetts
residents’ personal data
Many, many more...
 Examples

3-person firm in Massachusetts that

only transacts business with companies:
Has employees’ personal information.
No de minimus threshold.
If payroll is processed by outside
provider, it must also comply.
 Examples
Large multi-national corporation. Tens
of thousands of employees and petabytes
of data in dozens of locations. Mountains
of archives and backups off-site.
Enormity of job does not impact
application of regs. Even Personal
Information stored on backup tapes is
technically PI.
 Examples

Small retail store in New Hampshire:

If it accepts credit cards, it may well
obtain Personal Information of
Massachusetts residents.
There is no actual notice
requirement.
 Examples
Medium-sized North Carolina company
that provides corporate data storage
services, but has no Massachusetts
customers:
Absent contractual safeguards,
customers’ stored data may contain
Massachusetts Personal Information.
There is no actual notice requirement.
 About The WISP
1. Develop a comprehensive, written
information security plan
2. Designate someone to be in charge
of it
3. Implement, maintain and monitor it
 What’s in a WISP?

(201 CMR 17.03) (201 CMR 17.04)

Requirements for Requirements that
protecting all Personal apply to electronic
Information, in Personal Information
whatever form records
 General
Requirements
(201 CMR 17.03)
Risk assessment Inventory Personal
Information
Off-premises access
Physical access
Disciplinary measures
WISP monitoring
Terminated employees
WISP reviews
3rd-party service
providers Post-hoc incident
review
 Risk Assessment
Security Confidentiality Integrity

Internal
a l y s i s f o r
p e c i fi c a n k
Risks
F a c t - s e s s i n g r i s
g a n d a s s
ide n t i f y in
and i n g
d i m p r o v
a t in g a n d s
External evalu s o f s a f e g u a r
e n e s
Risks effectiv
Off-Premises Access
Assess “whether and how employees
should be allowed to keep, access and
transport records containing personal
information outside of business premises.”
Telecommuting
Use of messenger and delivery services
Ability to maintain files at home
 Disciplinary
Measures

State wants to know that WISP is

taken seriously.
Discipline must be imposed for
breach.
Flexibility can be preserved.
 Terminated
Employees

Access to Personal Information

prohibited for terminated employees.
Email and network accounts turned
off
Physical access prohibited
3rd-Party Providers

Before giving 3rd-party provider PI access:

1. Due diligence
2. Contractually obligate compliance
Applies to existing contracts as well as
prospective ones
May force businesses to choose between
compliance and breach
Limit Access to PI

Access limited to “legitimate purpose”:

amount collected
length of time kept
people with access
 PI Inventory

Identifying categories of records and

devices containing Personal
Information.
Alternative is treating all data as
Personal Information.
 Physical Access

Physically restrict access to

Personal Information
Personal Information must
be kept in locked facilities
or containers
WISP Monitoring and
Review

WISP must provide for ongoing

monitoring of plan effectiveness
At least annual review of WISP to
accommodate new and unanticipated
risks
Post Hoc Incident
Reviews
After a “breach of security”:
subsequent review of response and
necessary changes to prevent
recurrence
documentation of event and
response
 Electronic
Requirements
(201 CMR 17.04)
User authentication Laptop and mobile
protocols device encryption

Secure access control Security patches and

measures firewalls

Encryption of System security agent

transmitted records software

Monitoring of systems Employee education

and training
User Authentication
Protocols
Control use of user IDs
Secure password selection
Secure or encrypt password files
User accounts
Blocks for unsuccessful login attempts
 Secure Access
Control Measures

Permit access to records on “need to

know” basis
Password-protected account logins
to determine level of access
 Encryption of
Transmitted Records
Encryption of PI across public networks
(i.e., Internet)
Tunneling options?
Faxes and VOIP phone calls?
Encryption of PI over wireless
Bluetooth, WEP, WPA?
Encryption definition is broad
 Monitoring of
Systems
Requires system to detect
unauthorized use of, or access to,
Personal Information
Compare to “Red Flag” requirement
Some existing user account-based
systems will already comply
 Laptop & Mobile
Device Encryption
Encryption of Personal Information
stored on laptops
Applies regardless of laptop location
or use
Encryption of Personal Information
stored on “mobile devices”
Does incoming email present a
problem?
Security Patches &
Firewalls
“Reasonably up-to-date firewall
protection and operating system
security patches” for Internet-
connected computers
Problematic for legacy systems?
Dated OSs?
 System Security
Agent Software
Requires use of anti-malware
software
Macs and Linux boxes?
Are certain products “better” from
compliance standpoint?
“Set to receive…updates on a
regular basis.”
Employee Education
and Training

Proper use of computer systems

Importance of Personal Information
security
Applies to all employees?
 Enforcement

AG’s office enforces Chapter 93H and

201 CMR 17.00
No private right of action
But regs may become de facto
standard in civil suits.
 Discretion
Factors recognized by regs:
Size, scope and type of business
Resources available to business
Amount of stored data
Need for security and
confidentiality
 Liability and Risk

In the event of breach:

Governmental risk
Contractual risk
Insurance coverage at risk
 Deadlines

Originally, Jan 1, 2009

Then, pushed to May 1, 2009
Now, deadline is Jan 1, 2010
Jan

1
2 01 0
 The Approach
Audit and assess
Inventory type of PI kept
Review 3rd-party contracts
Assess risks
Plan information and data strategy
IT infrastructure and information process
changes
Implement plan and policies
Contract changes, employee policies, etc.
 40 Broad Street
Boston, MA 02109
(617) 350-6800
gesmer.com

980 Washington Street, Suite 124

Dedham, MA 02026
(781) 474-7700
ntirety.com

All rights reserved. ©2009 Gesmer Updegrove LLP. This may be considered advertising under Mass. R. Prof. C. 7.3(c).