Out-of-State Exempt Organizations May be Affected by New Massachusetts Data Security Regulations

Posted on June 1, 2010 by Amy Crafts

Massachusetts's new data security regulations, effective March 1, 2010, currently set forth the country’s most stringent requirements for protecting data. Extending beyond what is required by other states, Massachusetts specifies that, for example, covered entities, including exempt organizations, must implement a written information security program and must encrypt personal information that will be transmitted over the Internet, or that is kept on laptops and other portable devices.  Out-of-state exempt organizations working with Massachusetts residents should determine whether they have to comply with these new regulations. 

Massachusetts regulators and enforcement agencies would likely make the following three arguments that certain out-of-state exempt organizations, like in-state exempt organizations, must comply with the new regulations.

First, Massachusetts would likely argue that, in order to determine whether an exempt organization is subject to the regulations, the threshold inquiry involves an assessment of information owned or licensed by the exempt organizationnot an assessment of where that exempt organization is located. The regulations pertain to legal entities that own or license personal information of Massachusetts residents, which is defined as a Massachusetts resident’s first and last name, or first initial and last name in combination with any one or more of the following data elements related to the resident: (1) social security number; (2) driver’s license number or state-issued identification card number; or (3) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. Thus, Massachusetts would likely contend that any exempt organization that owns or licenses personal information of Massachusetts residents – regardless of where that exempt organization is located – is a covered entity under the regulations.

Second, based on discussions that occurred before the regulations went into effect, it is safe to expect that Massachusetts regulators will assert the right to enforce the regulations against out-of-state exempt organizations. While no litigation has been filed as of yet – the regulations have been in effect for just over two months – Massachusetts regulators have made clear that they intend to vigorously enforce the regulations to the extent required to protect Massachusetts residents from identity theft, the very purpose for which these regulations were promulgated.

Third, Massachusetts would likely argue that owning or licensing personal information is sufficient for jurisdictional purposes. Specifically, Massachusetts would contend that, by owning or licensing personal information of Massachusetts residents, the out-of-state exempt organization purposefully availed itself of the privilege of conducting business in Massachusetts. Alternatively, Massachusetts would contend that owning or licensing personal information of Massachusetts residents constitutes sufficient contacts with Massachusetts. While no precedent currently exists on this issue, Massachusetts would attempt to convince the courts that owning or licensing a Massachusetts resident’s personal information satisfies one or both of these jurisdictional tests.

Because we expect that Massachusetts will aggressively enforce these new regulations, we encourage out-of-state exempt organizations that own or license personal information of Massachusetts residents to work towards compliance with the new regulations by implementing administrative, technical, and physical safeguards to protect the personal information they own or license.
Tags: ,

NonProfits Must Comply With the New Massachusetts Data Security Breach Law

Posted on November 16, 2009 by Scott Harshbarger and Amy Crafts

The Massachusetts data security breach law and proposed regulations have triggered extensive discussions and debate over the past year.  The issues and concerns raised resulted in extension of the compliance dates for the law.  However, although significant modifications have recently been made under the leadership of the new Undersecretary for Consumer Affairs, Barbara Anthony, substantial compliance with the law will soon be required (March 1, 2010) – and required by many organizations that are not aware that the new requirements apply to them, particularly nonprofit organizations and smaller businesses.

We thought it would be helpful to offer a summary of key provisions and guidance on ensuring compliance with what has been called the "toughest-in-the-nation" data protection law and corresponding regulations. 

In general, nonprofit organizations, wherever located, that employ or serve Massachusetts residents are subject to the new and far-reaching Massachusetts data security regulations.  The regulations set forth standards that must be met by any non-governmental entity that owns or licenses personal information about a resident of the Commonwealth.  While the proposed regulations were recently revised to include a “risk-based” approach – a shift indicating that Undersecretary Anthony has listened to widespread criticism of the regulations, particularly from small business leaders, and understands their impact – compliance will still present significant challenges that entities of all sizes will have to consider.

The regulations apply to any entity that owns or licenses “personal information,” which is defined by the regulations as a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following: (a) Social Security number; (b) driver’s license number or state-issued identification card; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.  By virtue of this broad definition, nonprofit entities must ensure that any such information related to its employees, clients or customers is adequately protected.

The current regulations enable persons covered by the regulations to tailor their information security programs to their size, scope, type of business, resources, amount of personal information and need.  These changes were primarily intended to ease the burden of the regulations on entities like nonprofits that may not handle a significant amount of personal information, or may not have the resources to develop a sophisticated security program. 

Nonetheless, nonprofits which own or license personal information of Massachusetts residents must take appropriate safeguards to protect this information. For example.

  • They must develop, implement and maintain a written information security program that designates an employee for maintenance purposes.
  • To ensure that its employees are aware of and comply with the regulations and are capable of detecting and preventing security system failures, they must train their employees, including temporary or contract employees, regarding practices related to storage and access to personal information, in addition to transportation of records containing personal information outside of the entity’s premises. In addition, any employee who violates the regulations must be disciplined as deemed appropriate, and terminated employees must not have access to records containing personal information.
  • They must take reasonable steps to select and retain third-party service providers that are capable of protecting personal information, and must require their third-party service providers by contract to implement and maintain appropriate security measures for personal information.
  • Electronically stored or transmitted personal information, to the extent technically feasible, must be protected by secure user authentication protocols and secure access control measures. In addition, electronic systems must be maintained with appropriate and updated security software, and systems that are connected to the internet must contain up-to-date firewall protection, reasonably designed to maintain the integrity of personal information. Importantly, personal information transmitted across public networks, wirelessly, or in any portable device, must be encrypted.
  • Regular monitoring must be conducted, including identification and assessment of reasonably foreseeable internal and external risks to security. In addition, they must document actions taken in connection with any breach of security related to personal information and, following such breach, must make any necessary changes in its business practices to ensure protection of personal information.

A public hearing was held in Boston on September 22, 2009 on these regulations.

Tags: , , , ,