The federal government and more than 40 states have laws dictating how companies maintain, protect and dispose of personal information, as well as how they must respond if the privacy of that information is compromised. But it took the creation of stringent new data security regulations in Massachusetts for many businesses to sit up and take notice.
The Massachusetts rules impose detailed requirements that go beyond those of many other jurisdictions. The regulations apply to any business that maintains personal information about a Massachusetts resident and require a comprehensive written data security program. Beyond mandating far-reaching administrative, physical and technical safeguards for data, the regulations specify a host of computer security measures, including specifications for user authentication and encryption of information transmitted over public networks or stored on notebooks and other devices.
The regulations go into effect in May, although deadlines for the encryption and certain other requirements have been extended until January 2010. Companies that handle data on Massachusetts residents are scrambling to comply. Businesses outside Massachusetts also need to be aware of these new rules, for at least two reasons. First, the Massachusetts requirements, which are designed to take into account the current state of information technology,are likely to become the de facto “standard of care” in the eyes of courts, regulatorsand consumers nationwide. Second, other state governments and agencies are sure to follow suit. Here are some points from the new rules companies should take to heart:
Interpret “personal information” broadly. Under the Massachusetts rules, as in most jurisdictions, personal information includes a name combined with other important information, such as a Social Security number, driver’s license or account number.
Understand where your organization stores personal information. The rules require that companies either conduct a thorough audit to determine which records contain relevant information or safeguard all records. The review process should be broad: The Massachusetts rules apply to both paper and electronic records, and all departments should be consulted, including human resources, IT, customer service and others that store personal information.
Limit the amount of personal information stored. Keeping more personal information than needed creates unnecessary risks. The rules require that companies limit the collection of unnecessary information and dispose of that information when it serves no purpose.
Adopt a written security program. Massachusetts requires companies to develop a written information security policy. Putting safeguards in writing ensures that the approach is thought out.
Implement administrative, physical and technical safeguards. Massachusetts makes explicit that a security policy must be comprehensive to be effective. A need-to-know access rule is toothless if employees are not trained. And such rules should be backed up by locked filing cabinets and technology that limits or tracks access.
Take protective measures with respect to third-party access and breaches. The Massachusetts rules require securing computer systems with firewalls and user authentication. Companies are also responsible for personal information that they share with vendors, transmit over the Internet or allow to leave company premises on notebooks or other devices. Companies must obtain vendor certifications and encrypt information and devices.
Create a response plan when things go wrong. Like more than 40 states, Massachusetts has a data breach law that requires notification of affected individuals. Adopting a response plan in advance will facilitate compliance and may help reduce the risk to individuals and the company.
Acknowledge that this is not a one-time endeavor. Risks change over time. The Massachusetts regulations obligate companies to conduct periodic assessments and compliance audits and adopt new safeguards to address any deficiencies.