March 1, 2010 has come and gone. If you are a person who owns or licenses personal information about a resident of the Commonwealth of Massachusetts, the law has changed for you. Perhaps one of the strictest laws to date for protection of personal information, the bar has been set and soon other states will be following suit. Please note: This applies to anybody who has personal information of any resident of the Commonwealth of Massachusetts - not just Commonwealth businesses!
Essentially, this regulation establishes minimum standards to be met in connection with safeguarding of personal information contained in both paper and electronic records. While similar in nature to other regulations including PCI and GLBA, this regulation goes much further. For startes, here’s the definition of “Personal Information”:
Personal information, a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:
(a) Social Security number;
(b) driver’s license number or state-issued identification card number; or
(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.
With that, the breakdown on the requirements include:
(1) Develop, implement, and maintain a comprehensive written Information Security Program that contains administrative, technical, and physical safeguards.
(2) The Information Security Program shall include, but not be limited to:
(a) Designating one or more employees to maintain the program
(b) Identifying and foreseeing internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks including:
1. ongoing employee training;
2. employee compliance with policies and procedures; and
3. means for detecting and preventing security system failures.
(c) Develop security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises.
(d) Imposing disciplinary measures for violations of the Information Security Program rules.
(e) Preventing terminated employees from accessing records containing personal information.
(f) Oversee service providers, by:
1. Taking reasonable steps to select and retain 3rd party providers that are capable of maintaining appropriate security measures to protec PII (Personal Identity Information) consistent with these regulations and any applicable federal regulations; and
2. Requiring 3rd party service providers by contract to implement and maintain such security measures for personal information.
(g) Reasonable restrictions upon physical access to records containing PII, and storage of such records and data in locked facilities, storage areas, or containers.
(h) Regular monitoring to ensure that the comprehensive Information Security Program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of PII; and upgrading safeguards as necessary to limit risks.
(i) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may implicate the security or integrity of records containing PII.
(j) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of PII.
In addition, every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum shall have the following elements:
(1) Secure user authentication protocols including:
(a) control of user IDs and other identifiers;
(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
(d) restricting access to active users and active user accounts only; and
(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
(2) Secure access control measures that:
(a) restrict access to records and files containing PII to those who need such information to perform their job duties; and
(b) assign unique identifications plus passwords; which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the seucirty of the access controls;
(3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
(4) Reasonable monitoring of systems, for unauthorized use of or access to personal
(5) Encryption of all personal information stored on laptops or other portable devices;
(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
(7) Reasonably up-to-date versions of system security agent software which must include
malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.
If you would like to read more information about these requirements, please visit http://www.mass.gov/consumer.
This is only the beginning of more state regulations and requirements to come. Other states that have privacy laws include:
- Connecticut - Ct. H.B. 5658.
- Massachusetts - 201 Mass. Code Regs. §§ 17.01 - 17.04.
- Michigan - Mich. Comp. Laws § 445.84.
- New Mexico - N.M. Stat. §§ 57-12B-2 - 57-12B-3.
- New York - N.Y. Gen. Bus. Law § 3990dd(4).
- Texas - Tex. Bus. & Com. Code § 35.581 (effective through March 31, 2009); Tex. Bus. & Com. Code § 501.051 - 501.053 (effective April 1, 2009).