BDG | Data Security

 

New Massachusetts Data Security Law Requirements: 201 CMR 17.00

 

A new regulation, while not specifically directed at construction companies, worthy of note is the new Massachusetts Data Security Regulation: 201 Code of Massachusetts Regulation (CMR) 17:00. This regulation is slated to take effect on January 1, 2010. Recent data security breaches over the past few years have caused lawmakers across the United States to strengthen regulations to protect the confidential personal information of individuals. Data breaches from banks, retail chain stores and credit card companies have caused widespread identity theft situations in Massachusetts and beyond; causing individuals tremendous hardship and tens of thousands of dollars to repair their good name and restore their good credit history. As a result the new regulation was adopted which will require businesses to upgrade their data infrastructure. A company that does not take the required steps and finds itself in violation of the regulation could face financial liability by not adequately protecting the personal information of its employees.

The purposes of the law is threefold: “(i) ensure the security and confidentiality of such (personal) information in a manner consistent with industry standards, (ii) protect against anticipated threats or hazards to the security or integrity of such (personal) information, and (iii) protect against unauthorized access to or use of such information in a manner that creates a substantial risk if identity theft or fraud against such residents. See 201 CMR 17.01. Who does the regulation apply to? Any Massachusetts business or individual that electronically stores an individual’s name (first and last or first initial and last name) and includes one of the following: social security number, driver’s license or state-issued identification card number, financial account number (credit card, debit card number) or some sort of financial access number. In fact, the regulation also applies to non Massachusetts businesses or individuals that store a Massachusetts resident’s personal information. Regardless of the size of the business, security procedures must be implemented.

The Commonwealth of Massachusetts Office of Consumer Affairs & Business Regulation (OCABR) regulations require a comprehensive, written information security program (“WISP”) applicable to all records containing personal information (“PI”) about any resident of the Commonwealth of Massachusetts. The WISP must include administrative, technical and physical safeguards for PI protection. Information the WISP must cover include topics such as:

• Defining when and how records containing PI will be stored, accessed or transported off your business premises
• Appointing at least one employee (the “Data Security Coordinator”) to maintain and supervise WISP implementation and performance
• Employee training
• Testing of the Security Program’s safeguards.

In addition to the administrative components of the regulation such as the WISP, many physical and technical items need to be addressed. Organizations must:

• Restrict PI access to current and approved user accounts.
• Encrypt all PI records and files that are transmitted across public networks, and that are to be transmitted wirelessly (to the extent technically feasible).
• Configure firewall properly and maintain latest updates and firmware.
• Restrict Physical PI record access to those persons who have a need to know in connection with your legitimate business purpose, or in order to comply with state or federal regulations.
• At the end of the work day, secure all files and other records containing personal information in a manner that is consistent with the WISP’s rules for protecting the security of personal information.
• Protect any PI data that leaves business premises (e.g. Encrypt all PI stored on laptops and other portable devices)

Encryption has been a hot button topic for 201 CMR 17.02. The regulation requires each WISP incorporate encryption as one of the safeguards. Companies that allow wireless access need to employ and enforce a Secure Wireless Policy with a WPA2 pre-shared key encryption or better. In addition businesses must fully encrypt any laptop, USB, CD, DVD, etc. containing PI that may ever leave the premises. Stolen and lost laptops are one of the leading causes of data breaches. If however, organizations adhere to the regulation and ensure laptop full disk encryption, notification to authorities or compromised individuals is not required. Companies can acquire a range of disk encryption products to ensure the confidentiality of data. Free software is available but not recommended due to its complexity. Companies will benefit by allowing an individual or company that has experience with security encryption to undertake implementation.

In addition to the costs to upgrade the date security measures, a business or individual has another potential problem to be concerned about. if noncompliance is found with 201 CMR 17.00 a business may be found negligent. A theory of negligence per se would thus arise. A business or an individual engaged in business should have insurance. However, a violation of this regulation may not be insurable and if found liable, the business or person would have to pay any such damages out of their pocket. Thus, loss of personal information electronically stored resulting in some type of identity theft would not only cause severe hardship for the harmed individual, but also the business or individual responsible for the information’s safeguard.

Article co-authored by David P. Mullen, Law Office of Attorney James F. McGrail and Daniel Bagley, Partner, Boston Data Group.

LAW OFFICE OF ATTORNEY JAMES F. McGRAIL