The New

Standard
M a s s a c h u s e t t s ’
s w e e p i n g n e w d a t a
p r o t e c t i o n r u l e s

Joe Laferrera
Gesmer Updegrove LLP
March 2010
Massachusetts’ Law:
Chapter 93H

Effective October 2007

Notification in event of data breach
Consistent with other states’ laws
Reactive
 Data Breach
Notification Laws
 Massachusetts’
Regulations:
201 CMR 17.00
Issued October 2008
Plan to secure and protect residents’
personal information
Broader than anything else in the
country
Proactive
 Overview
If regs apply:
must protect Personal Information
must have written information
security plan (WISP) detailing
policies and procedures
must have designee(s) responsible
for protecting Personal Information
Risk-based Factors

Prior drafts accused of taking one-

size-fits-all-approach
Computer security requirements
much be “technically feasible”
Several factors now go to compliance,
not enforcement
Risk-based Factors
Several factors now go to compliance,
not enforcement:
size, scope and type of business
resources available
amount of stored data
need for confidentiality and security
Massachusetts-type
Regulations
 Who’s Covered
Partner- Non- Educ.
Person Corp. Assoc.
ship profit Inst.
which

owns licenses receives maintains processes accesses

any

personal information about a Massachusetts resident

 Who’s Covered
Governor Patrick’s executive order IM
'T UTE
LIE
HY
. M
P VE
OT NANT G
O
RA
R
Y
UR NOR

mandating measures to protect PI lle ncy

xce
H is E ICK
By A T R

application to "all state agencies in

L. P NOR
C K
TRI
. PAOR A L R
DEV GOVE 504
L L N
VA OVER
DE . D
G
R NO Y AN TION
E I T
OR
D UR ORMA

the Executive Department"

E E C
C U TI V
T H E S AL INF r 412
)
E N e
EX ING O Ord to
A RD PERS t i v e
r d ing 9
G
RE ITY O F cu o
E R L g Exe a t , acc ny as s
D n a e
OR EN'TIA r s edi r i m e th as m siness
s
D e c t u
NFI Sup ious s, affe and b
c

including "executives offices,

CO a n d s e r c rs
o k ing f t is a statisti nsume
v e
(Re - - n t i ty th ission osts co ts has s to
e m c t
A S ,i d
e C om and
r ; c h us n step other ter
e
a a e g
ERE al Trad ch ye nnually ass nd tak amon ("Chap
boards, commissions, agencies, en t
H
W der
Fe cans e illion a
eri
curr ion Am tely $5
mill roxima
2b
a

e
m
e a l
f
onw identit resid Chapt
Com eat of n of it l Laws
y
M
th o theft a nts by r 93H
s
e
,
e
etts gated

departments, divisions, councils,

, t h t h r a t i o era u s
app R E AS wing form Gen s s ac romul s
h
r o i n tt s a p
E
WH d the g rsona chuse
l
t h e M n has andard
ize the pe assa ,
3H ulati rity st own, the
o
g n r 9
reco guard cting M a pte s Reg g secu s, who nts of

bureaus and offices"

h s
safe gs, en
a
n t to C usine definin entitie reside
t
thin "); rsua s and B 2009, n state abou
3H A S , p u
ffa ir y 1 , t h a a ti o n
y o f the d
9 r r r e
H ERE umer A Janua s, othe l inform e creta charg
W ons e n a S is
o f C ff e ctiv perso erson , the ords,
nse , in p H
ce
Offi -~latio e met iainta
by
p t e r 93 lic Rec
l b ha fr Pub
reg must re or n ; C
nt t e r v i so
o
h a t , sto a!th u a
t e je rs ~p
 Personal
Information
Massachusetts residents’ name +
Social Security number
Driver’s license or State ID
number
Credit card or debit card number
Financial account number
Territorial Reach

Essentially all Massachusetts businesses

Many retailers who accept credit cards
Third-party service providers
nationwide that touch Massachusetts
residents’ personal data
Many, many more...
 Examples
3-person law firm in Massachusetts that
only represents companies:
Has employees’ personal information.
No strict de minimus threshold, but
amount of data is relevant
If payroll is processed by outside
provider, it must also comply.
 Examples
Large multi-national corporation. Tens
of thousands of employees and petabytes
of data in dozens of locations. Mountains
of archives and backups off-site.
Even Personal Information stored on
backup tapes is technically PI, and new
backups must be encrypted and old
backups encrypted if transferred.
 Examples
Small business in New Hampshire:
If it accepts credit cards, it may well
obtain Personal Information of
Massachusetts residents.
No actual notice requirement.
But swiped, unstored data is
apparently outside the regs
 Examples
Medium-sized North Carolina company
that provides corporate data storage
services, but has no Massachusetts
customers:
Absent contractual safeguards,
customers’ stored data may contain
Massachusetts Personal Information.
No actual notice requirement.
 About The WISP
1. Develop a comprehensive, written
information security plan
2. Designate someone to be in charge
of it
3. Implement, maintain and monitor it
 What’s in a WISP?

(201 CMR 17.03) (201 CMR 17.04)

Requirements for Requirements that
protecting all Personal apply to electronic
Information, in Personal Information
whatever form records
 General
Requirements
(201 CMR 17.03)
Risk assessment Physical access

Off-premises access WISP monitoring

Disciplinary measures WISP reviews

Terminated employees Post-hoc incident

review
3rd-party service
providers
 Risk Assessment
Security Confidentiality Integrity

Internal
a l y s i s f o r
p e c i fi c a n k
Risks
F a c t - s e s s i n g r i s
g a n d a s s
ide n t i f y in
and i n g
d i m p r o v
a t in g a n d s
External evalu s o f s a f e g u a r
e n e s
Risks effectiv
Off-Premises Access
Develop policies “relating to the storage,
access and transportation of records
containing personal information outside of
business premises.”
Telecommuting
Use of messenger and delivery services
Ability to maintain files at home
 Disciplinary
Measures
State wants to know that WISP is
taken seriously.
Discipline must be imposed for
breach.
Flexibility can be preserved.
 Terminated
Employees
Access to Personal Information
prohibited for terminated employees.
Email
Network accounts
Physical access
3rd-Party Providers
Select 3rd-party providers “capable of
maintaining appropriate security measures”
consistent with Mass and federal regs
Contractually require compliance
1. In all contracts executed after effective
date (March 1, 2010)
2. In all contracts, after March 1, 2012
Changed yet again
Deleted Provisions
No more requirement of data
inventory
No more limitation on duration or
amount of collection to that
“reasonably necessary”
PI Inventory
 Physical Access
Physically restrict access to
Personal Information
Personal Information must
be kept in locked facilities
or containers
WISP Monitoring and
Review
WISP must provide for ongoing
monitoring of plan effectiveness
At least annual review of WISP to
accommodate new and unanticipated
risks
Post Hoc Incident
Reviews
After a “breach of security”:
subsequent review of response and
necessary changes to prevent
recurrence
documentation of event and
response
 Electronic
Requirements
(201 CMR 17.04)
User authentication Laptop and mobile
protocols device encryption

Secure access control Security patches and

measures firewalls

Encryption of System security agent

transmitted records software

Monitoring of systems Employee education

and training
User Authentication
Protocols
Control use of user IDs
Secure password selection
Secure or encrypt password files
User accounts
Blocks for unsuccessful login attempts
 Secure Access
Control Measures
Permit access to records on “need to
know” basis
Password-protected account logins
to determine level of access
 Encryption of
Transmitted Records
Encryption of PI across the Internet
Faxes and VOIP phone calls?
Encryption of PI over wireless
Bluetooth, WEP, WPA?
Encryption definition is broad
 Laptop & Mobile
Device Encryption
Encryption of PI stored on laptops
Applies regardless of laptop location
or use
Encryption of PI stored on “mobile
devices”
Encryption may not be “feasible”
How is incoming email treated?
 Monitoring of
Systems
Requires system to detect
unauthorized use of, or access to,
Personal Information
Some existing user account-based
systems will already comply
Security Patches &
Firewalls
“Reasonably up-to-date firewall
protection and operating system
security patches” for Internet-
connected computers
Legacy systems?
Dated OSs?
 System Security
Agent Software
Requires use of anti-malware
software
Macs and Linux boxes?
Are certain products “better” from
compliance standpoint?
“Set to receive…updates on a
regular basis.”
Employee Education
and Training
Proper use of computer systems
Importance of Personal
Information security
What about employees without
access to PI?
 Enforcement
AG’s office enforces Chapter 93H and
201 CMR 17.00
No private right of action
But regs may become de facto
standard in civil suits.
 Enforcement
Discretion
Agencies not all the same
OCABR promulgates the regs
AG’s office enforces them
 Liability and Risk
In the event of breach:
Governmental risk
Contractual risk
Insurance coverage at risk
 Deadlines
Originally, Jan 1, 2009
Then, pushed to May 1, 2009
Then, deadline became Jan 1, 2010
Now, effective as of March 1, 2010
Mar

1
2 0 1 0
 The Approach
Audit and assess
Inventory type of PI kept
Review 3rd-party contracts
Assess risks
Plan information and data strategy
IT infrastructure and information process
changes
Implement plan and policies
Contract changes, employee policies, etc.
 40 Broad Street
Boston, MA 02109
(617) 350-6800
gesmer.com

joe.laferrera@gesmer.com

Boston (Somerville), MA • Bedford, NH •

Manchester, NH • Marlborough, MA •
Rockland, MA • Waltham, MA
(888) 583-9200
colospace.com

All rights reserved. ©2010 Gesmer Updegrove LLP. This may be considered advertising under Mass. R. Prof. C. 7.3(c).