Massachusetts’s new data security regulations, effective March 1, 2010, currently set forth the country’s most stringent requirements for protecting data. Extending beyond what is required by other states, Massachusetts specifies that, for example, covered entities, including exempt organizations, must implement a written information security program and must encrypt personal information that will be transmitted over the Internet, or that is kept on laptops and other portable devices. Out-of-state exempt organizations working with Massachusetts residents should determine whether they have to comply with these new regulations.
Massachusetts regulators and enforcement agencies would likely make the following three arguments that certain out-of-state exempt organizations, like in-state exempt organizations, must comply with the new regulations.
First, Massachusetts would likely argue that, in order to determine whether an exempt organization is subject to the regulations, the threshold inquiry involves an assessment of information owned or licensed by the exempt organization – not an assessment of where that exempt organization is located. The regulations pertain to legal entities that own or license personal information of Massachusetts residents, which is defined as a Massachusetts resident’s first and last name, or first initial and last name in combination with any one or more of the following data elements related to the resident: (1) social security number; (2) driver’s license number or state-issued identification card number; or (3) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. Thus, Massachusetts would likely contend that any exempt organization that owns or licenses personal information of Massachusetts residents – regardless of where that exempt organization is located – is a covered entity under the regulations.
Second, based on discussions that occurred before the regulations went into effect, it is safe to expect that Massachusetts regulators will assert the right to enforce the regulations against out-of-state exempt organizations. While no litigation has been filed as of yet – the regulations have been in effect for just over two months – Massachusetts regulators have made clear that they intend to vigorously enforce the regulations to the extent required to protect Massachusetts residents from identity theft, the very purpose for which these regulations were promulgated.
Third, Massachusetts would likely argue that owning or licensing personal information is sufficient for jurisdictional purposes. Specifically, Massachusetts would contend that, by owning or licensing personal information of Massachusetts residents, the out-of-state exempt organization purposefully availed itself of the privilege of conducting business in Massachusetts. Alternatively, Massachusetts would contend that owning or licensing personal information of Massachusetts residents constitutes sufficient contacts with Massachusetts. While no precedent currently exists on this issue, Massachusetts would attempt to convince the courts that owning or licensing a Massachusetts resident’s personal information satisfies one or both of these jurisdictional tests.
Because we expect that Massachusetts will aggressively enforce these new regulations, we encourage out-of-state exempt organizations that own or license personal information of Massachusetts residents to work towards compliance with the new regulations by implementing administrative, technical, and physical safeguards to protect the personal information they own or license.