Tactical Advice

Massachusetts Mandate

The Bay State sets the benchmark on protecting personal information.
This story appears in the March 2009 issue of BizTech Magazine.

Lynn R. Charytan, WilmerHale

The federal government and more than 40 states have laws dictating how companies maintain, protect and dispose of personal information, as well as how they must respond if the privacy of that information is compromised. But it took the creation of stringent new data security regulations in Massachusetts for many businesses to sit up and take notice.

The Massachusetts rules impose detailed requirements that go beyond those of many other jurisdictions. The regulations apply to any business that maintains personal information about a Massachusetts resident and require a comprehensive written data security program. Beyond mandating far-reaching administrative, physical and technical safeguards for data, the regulations specify a host of computer security measures, including specifications for user authentication and encryption of information transmitted over public networks or stored on notebooks and other devices.

The regulations go into effect in May, although deadlines for the encryption and certain other requirements have been extended until January 2010. Companies that handle data on Massachusetts residents are scrambling to comply. Businesses outside Massachusetts also need to be aware of these new rules, for at least two reasons. First, the Massachusetts requirements, which are designed to take into account the current state of information technology,are likely to become the de facto “standard of care” in the eyes of courts, regulatorsand consumers nationwide. Second, other state governments and agencies are sure to follow suit. Here are some points from the new rules companies should take to heart:

Interpret “personal information” broadly. Under the Massachusetts rules, as in most jurisdictions, personal information includes a name combined with other important information, such as a Social Security number, driver’s license or account number.

Understand where your organization stores personal information. The rules require that companies either conduct a thorough audit to determine which records contain relevant information or safeguard all records. The review process should be broad: The Massachusetts rules apply to both paper and electronic records, and all departments should be consulted, including human resources, IT, customer service and others that store personal information.

Limit the amount of personal information stored. Keeping more personal information than needed creates unnecessary risks. The rules require that companies limit the collection of unnecessary information and dispose of that information when it serves no purpose.

Adopt a written security program. Massachusetts requires companies to develop a written information security policy. Putting safeguards in writing ensures that the approach is thought out.

Implement administrative, physical and technical safeguards. Massachusetts makes explicit that a security policy must be comprehensive to be effective. A need-to-know access rule is toothless if employees are not trained. And such rules should be backed up by locked filing cabinets and technology that limits or tracks access.

Take protective measures with respect to third-party access and breaches. The Massachusetts rules require securing computer systems with firewalls and user authentication. Companies are also responsible for personal information that they share with vendors, transmit over the Internet or allow to leave company premises on notebooks or other devices. Companies must obtain vendor certifications and encrypt information and devices.

Create a response plan when things go wrong. Like more than 40 states, Massachusetts has a data breach law that requires notification of affected individuals. Adopting a response plan in advance will facilitate compliance and may help reduce the risk to individuals and the company.

Acknowledge that this is not a one-time endeavor. Risks change over time. The Massachusetts regulations obligate companies to conduct periodic assessments and compliance audits and adopt new safeguards to address any deficiencies.

Lynn R. Charytan is an attorney in the Washington, D.C., office of WilmerHale.
Sign up for our e-newsletter

Security

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
Tools to Maintain Mobile Sec... |
Far-flung devices pose serious challenges, but a variety of technologies can help protect...

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...
The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...
XP-iration Date: Today Is th... |
It’s officially lights out for Windows XP as an operating system. Here’s how the world is...