Today, November 14, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) extended the deadline for compliance with its new data security regulations. The regulations had been slated to take effect on January 1, 2009. Some aspects of the regulations are now scheduled to become enforceable on May 1, 2009 and others will not be enforced until January 1, 2010.
Quoting from a press release issued by the OCABR today :
The general compliance deadline for 201 CMR 17.00 has been extended from January 1, 2009 to May 1, 2009. The date is consistent with a new FTC Red Flag Rule, which requires financial institutions and creditors to develop and implement written identity theft prevention programs. Businesses addressing the new FTC requirements can now address the state regulations during the same time frame.
The deadline for ensuring that third-party service providers are capable of protecting personal information and contractually binding them to do so will be extended from January 1, 2009 to May 1, 2009, and the deadline for requiring written certification from third-party providers will be further extended to January 1, 2010. This tiered deadline for requiring certification will ensure proper consumer protection and facilitate implementation without overburdening small businesses during harsh economic times.
The deadline for ensuring encryption of laptops will be extended from January 1, 2009 to May 1, 2009, and the deadline for ensuring encryption of other portable devices will be further extended toJanuary 1, 2010. Many data breaches reported to date relate to laptops, and laptops are more easily encrypted than other portable devices such as memory sticks, DVDs and PDAs.
If you or your company have “personal information” concerning any Massachusetts resident (including information about your own employees), be prepared for a significant undertaking than may well effect the way you do business. The Commonwealth of Massachusetts has issued regulations pursuant to the state’s data breach notification law, and they are slated to go into effect on January 1, 2008. And while the notification law is largely consistent with the laws enacted by most other states, the regulations truly set Massachusetts apart.
The new regulations require any entity that maintains “personal information” regarding any Massachusetts resident to develop and implement a comprehensive, written information privacy plan that details how such information will be protected and secured. The business must also designate an employee to be responsible for the plan. This much might have been expected.
What sets the Massachusetts regulations apart, however, are their scope and specificity. The regulations list no less than twenty separate requirements for the plan, which mandate steps such as the training of all employees, the encryption of personal data on all laptops and mobile devices, the certification of all third-party service providers to ensure their appropriate treatment of personal information, and the institution of systems to monitor for data breaches and implement appropriate anti-virus software and up-to-date security patches.
The regulations purport to apply to anyone holding personal information about Massachusetts residents, whether or not they themselves operate or do business in Massachusetts. As an initial matter, this covers virtually every business with a Massachusetts employee, since the combination of names and Social Security numbers qualify as “personal information.” Companies outside of Massachusetts that process Massachusetts’ residents personal information — which would include virtually every retailer — are also within its scope. Further, service providers who work with any such companies will effectively be forced to comply with the regulations as well, since covered entities may only share personal information with service providers who themselves are compliant with the new mandates. Lawsuits regarding the extra-jurisdictional reach of these regulations are sure to come.
At a recent Boston Bar Association event, David Murray — the general counsel of the Massachusetts agency responsible for the new regulations — responded to questions regarding them. His responses indicated that they are, indeed, as broad as their language suggests. For example, Murray’s view is that existing long-term agreements with third-party service providers are subject to the regulations, which essentially means that relationships between Massachusetts companies and the vendors they use to handle “personal information” will likely require additional due diligence and potentially a renegotiation of contract terms. Murray, responding to comments pointing out how dramatic changes will be required by the new requirements, said simply “The regulations will not fit in with what is currently being done.”
Given the rapidly approaching January 1 deadline and the enormity of the task at hand, many believe that the Commonwealth will have little choice but to delay enforcement for six months or more. Further, the Attorney General’s Office, which will be in charge of enforcing the regulations, may take a “go slow” approach to clamping down. However, businesses should not dawdle in attacking this issue: First, implementation of the new information security plan will take time and resources, and even a six month delay in the deadline will not give much breathing room. Second, independent of the AG’s enforcement strategy, the new regulations may well become a de facto standard against which hacked businesses are measured in civil suits. Business who find that customers’ credit card and financial account information has been lost or hacked may find themselves fielding more questions about their compliance from class action trial lawyers than from the Attorney General’s Office.
The system is screaming for a unification of the more than forty different regimens being implemented by various states across the country. Whether these regulations are sufficiently bold as to move Congress to act has yet to be seen, but the election and the financial crisis may well leave data security legislation as a low priority at the federal level. The prudent businessperson will neither assume that the Commonwealth will delay implementation of these regulations for any substantial period of time, nor rely on the federal cavalry to ride in at the last minute to save the day.
Below is a white paper detailing the regulations in more detail:
