January 3, 2008

MASSACHUSETTS AGENCY WEIGHING PRESCRIPTIVE

STATE-SPECIFIC DATA SECURITY REGULATIONS

WRITTEN AND ORAL TESTIMONY TO BE RECEIVED JANUARY 11

The Massachusetts Department of Consumer Affairs & Business Regulation (DCABR) has proposed regulations that will affect every company that stores personal information regarding Massachusetts residents.

In 2007, Massachusetts enacted a security breach notification statute that directed the Massachusetts Department of Consumer Affairs & Business Regulation (DCABR) to promulgate data security regulations. DCABR is authorized to promulgate regulations “designed to safeguard the personal information of residents of the commonwealth... consistent with the safeguards for protection of personal information set forth in the federal regulations by which the person is regulated.”

On January 11, 2008, DCABR will hold a public hearing in Boston on the data security regulations it has proposed to implement this law. The proposed rules include audit trail, encryption, and data minimization requirements. Unless modified, these draft regulations would be the first broadly applicable data security rules in the country to depart from the Safeguards Rule in significant ways, and could set a harmful precedent. Interested parties may present oral or written testimony at that hearing. In October 2007, DLA Piper attorneys met with the DCABR director and deputy director/general counsel to encourage the issuance of regulations that reflect the legislature’s directive to track the Safeguards Rule. In the meeting, we noted that the Gramm-Leach-Bliley (GLB) Safeguards Rule has effectively become the de facto standard for data security of sensitive personal information.

The Proposed DCABR Regulations

Although the proposed DCABR regulations impose similar requirements to the GLB Safegaurds Rule, 16 C.F.R. § 314, the regulations also impose certain more prescriptive requirements. These requirements would compel businesses with Massachusetts customers to implement special data security protocols solely for data that pertains to Massachusetts residents.

If implemented in their current form, the proposed regulations would set a potentially dangerous precedent toward a patchwork of state-specific data security regulations that, at a minimum, would impose significant compliance burdens.

Protecting Personal Information

Under Section 17.03 of the proposed regulations, businesses that handle personal information1 of Massachusetts residents must develop a written information security program that “shall be reasonably consistent with industry standards, and shall contain administrative, technical, and physical safeguards to ensure the security and confidentiality of such records.” The safeguards contained within this program must be “consistent with the safeguards for protection of personal information and information of a similar character set forth” in state or federal regulations.”

Although many of the aspects of the information security program are similar or identical to the GLB Safeguards Rules, there are notable exceptions, including requirements to:

  • Collect “the minimum amount of personal information necessary to accomplish the legitimate purpose for which it was collected” and retain such information “for the minimum time necessary to accomplish such purpose”;
  • Inventory all records to identity those records containing personal information;
  • Monitor and audit, on a regular basis, employee access to personal information;
  • Develop security policies for employees who telecommute that address whether such employees should keep, access, or transport data containing personal information;
  • Impose disciplinary measures for violating information security program rules;
  • Prevent terminated employees from accessing records containing personal information; and
  • Document responsive actions taken in connection with any incident involving a security breach.

While many of these requirements reflect best practices, they are far more specific than data security mandates imposed in identity theft/breach notification statutes in other states.

Computer System Security Requirements

The proposed regulations impose specific computer security requirements that require secure user authentication protocols and access control measures.

The secure authentication protocols include:

  • control of user IDs and other identifiers;
  • a secure method of assigning and selecting passwords of at least seven characters;
  • control of passwords to ensure that passwords are kept at a separate location from the data to which passwords permit access;
  • a process to restrict access to active users and user accounts only; and
  • a process to block user identification after multiple unsuccessful attempts to gain access to a particular system.

Secure access control measures must restrict access to records and files containing personal information to those individuals who need access to perform job duties and must assign a unique identification and a password, which is not supplied by a vendor, to each person with computer access.

Further Prescriptive Requirements

Section 17.04 also imposes several other data security requirements that appear to deviate from the DCABR’s statutory mandate. Some of these data security requirements are not consistent with existing state and federal regulations, and, in some instances, would compel businesses to implement data security protocols for the sole purpose of complying with Massachusetts’ regulations. Section 17.04 requires:

  • Encryption of all transmitted records and files containing personal information, including those in wireless environments, that will travel across public networks;
  • “Periodic monitoring of networks and systems, for unauthorized use of or access to personal information, and recording the audit trails for users, events, dates, times success or failure of login”;
  • “Periodic review of audit trails restricted to those with job-related need to view audit trails”;
  • Firewall protection with up-to-date patches, including operating system security patches;
  • The “most current version” of security agent software, including antispyware and antivirus software and “up-to-date patches and virus definitions”;
  • Education and training of employees on the proper use of the computer security system and the importance of information security;
  • Restricted physical access to computerized records containing personal information, including written procedures that describe how access is protected.

Public Hearing on January 11

DLA Piper US has been active in both the legislative and regulatory process leading up to the public hearing that will take place in Boston on January 11, 2008. Interested parties may present oral or written testimony at that hearing. Clients who are interested in submitting written or oral testimony should contact us as soon as possible.

1 “Personal information” is defined in the same manner as Massachusetts’ security breach statute. It includes a narrow set of data elements (i.e., SSN, driver’s license number, or financial account number with a passcode) combined with a person’s name.