Massachusetts has passed what is considered the most sweeping privacy regulation in the nation. The Massachusetts data security regulation, 201 CMR 17.00, has far-reaching implications that affect nearly every business, large or small, that has even a single client, customer or employee located in Massachusetts. Unlike many of its federal counterparts, the Massachusetts regulation is a relatively easy read. The law takes effect on March 1, 2010 and governs every business that “Owns or Licenses” certain “Personal Information,” terms that are defined in simple language in the regulation.
But simple does not mean easy. The regulation requires businesses that own or license personal information to create and implement a written information security program, frequently called a WISP. Security policies may be straightforward or very complex depending on the nature of the business. Until the state begins to enforce the regulation and publish more guidance, those of us practicing in this area are taking an educated best guess as to how best to meet the requirements.
Here are five things that every business owner needs to know about the new regulation:
1. If a business has employees who reside in Massachusetts, then they must have a security program in place and implemented by March 1. It does not matter where the business is located or where the employee carries out their job function. “Personal Information” is a person’s name together with their social security number, driver’s license number or financial account number (e.g. checking, credit card or other account number). 201 CMR 17.02. It is difficult to imagine a business that has employees that would not somewhere have a record of their social security number. In order to process payroll, administer benefits or issue any tax filings, the employer must have the employee’s social security number.
2. If a business has Massachusetts customers or clients and accepts checks, credit or debit cards as payment for goods or services, then the business must comply with the regulation. A business “owns or licenses” personal information if it “receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services.” 201 CMR 17.02 If you are strictly a cash business, then you may be exempt, provided you have no employees (see above). But if your company ever handles a person’s social security number or driver’s license, or if you accept checks or credit cards, you are most likely covered by the regulation.
3. Compliance requires a comprehensive security plan that must be in writing. Even if you already utilize best practices for handling sensitive information, the regulation requires that the plan be written down and include administrative (i.e. security training, defined job functions, etc.), technical (i.e. data encryption, firewalls, virus and anti-malware protection, etc.), and physical safeguards (i.e. door locks, locked cabinets and desks, alarm systems, etc.). Note that the law applies not only to electronic records, but to paper records, as well.
4. Creating the plan is not enough; it must be implemented and maintained. Yes, it seems obvious, but it is not uncommon that a plan is written and never put into use. Perhaps one department creates the plan, but due to a lack of communication among departments, budget constraints, or misunderstanding of the requirements, the plan is never fully adopted. And implementation alone is not sufficient. The business must review and adjust its plan at least annually or “whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.” 201 CMR 17.03(i).
5. Businesses that are already in compliance with HIPAA (medical records), GLBA (financial records) or other state or federal privacy statutes are not exempt from the Massachusetts requirements. This is a common misconception that I hear from my clients. The data security regulation has many similarities to other statutes, but the scope of what is covered is very different. For instance, the Massachusetts regulation is concerned with Personal Information of employees.
So what to do next? If you have not yet begun the process of creating your security program, the worst thing to do is stick your head in the sand and ignore the problem. There are certainly many businesses like yours, but the ones that will have the biggest problems are those that fail to take action to become compliant as quickly as possible. Penalties for violations are substantial - $5,000 per violation. And that says nothing of any damages your company may be forced to pay to victims of identity theft or the immeasurable cost due to a loss of trust and integrity.
I recommend a two-team approach. First, assemble your internal “security force.” This would likely consist of the department heads and other individuals who have oversight or knowledge of all of the internal processes where Personal Information enters, flows or is stored in your organization. Second, work with both legal and IT professionals familiar with the regulation (this could be your own IT department, depending on their capabilities). Together, the teams will work to identify and evaluate existing vulnerabilities and then develop and implement the security policies and procedures necessary to address those risks. If everyone works together, the process will be manageable and completed in short order and at reasonable cost.
If you would like more information on this topic, please call me at 781-707-3883 or use the “Contact Me” page listed above.