January 2009
Author:
Bruce H. Nielson
+1.202.778.9256
bruce.nielson@klgates.com
Contributors:
Sean P. Mahoney
+1.617.261.3202
sean.mahoney@klgates.com
Holly K. Towle
+1.206.370.8334
holly.towle@klgates.com
Henry L. Judy
+1.202.778.9032
henry.judy@klgates.com
K&L Gates comprises approximately
1,700 lawyers in 28 offices located in
North America, Europe and Asia, and represents capital markets participants, entrepreneurs, growth and middle market companies, leading FORTUNE
100 and FTSE 100 global corporations and public sector entities. For more information, visit www.klgates.com. www.klgates.com
If your business maintains any personal information about any residents of
Massachusetts and you do not understand the title above, you should read on.
If you were aware of the “tough new standards” for information protection in
Massachusetts and thought your business needed to be in compliance with those standards by January 1, 2009, you should read on. If your business needs any help creating or revising an information security program that is compliant with
Massachusetts’ tough new standards, you should read on.
In September 2008, the Massachusetts Office of Consumer Affairs & Business
Regulation (OCABR) issued a regulation that is intended to help protect from unauthorized disclosure the personal information of residents of Massachusetts.
In a nutshell, the regulation purports to require every business that maintains any personal information about Massachusetts residents (whether or not the business has a presence in Massachusetts) to do the following:
• Develop and implement, for all records that contain personal information of Massachusetts residents, a “comprehensive, written information security program” that includes several elements prescribed in the regulation.
• Implement a security system for computer and wireless networks that includes, among other things, the use of secure user authorization protocols, secure access control measures, encryption of stored and transmitted data, and Internet firewall protections.
When first released by the OCABR, the regulation included an effective date of
January 1, 2009. However, the OCABR recently announced that the effective date for most of the regulation’s provisions is being postponed to May 1, 2009, to allow businesses additional time to comply with the regulation. The effective date for a couple of the regulation’s most onerous provisions has been postponed to
January 1, 2010.
So, the good news is that businesses that maintain any personal information about
Massachusetts residents have an additional four months to comply with most of the regulation’s requirements and an additional year to comply with the most onerous provisions. The bad news is that four months, and even a year, can go by rather quickly, and many of the requirements of the Massachusetts regulation that will become effective on May 1, 2009, are tough and will likely require businesses to revise existing – or adopt new – information security programs and policies to comply with the regulation.
What follows below is a brief summary of the key provisions of the
Massachusetts information security regulation.

Privacy, Data Protection and
Information Management Alert
The Massachusetts regulation is found in the
Code of Massachusetts Regulations at 201
CMR 17.00 and is entitled “Standards for the
Protection of Personal Information of Residents of the Commonwealth.” The regulation was issued under Massachusetts General Laws chapter 93H, which addresses information security breaches. Among the stated purposes of the regulation are the following:
• “establish[] minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records”
• “ensure the security and confidentiality of such information in a manner consistent with industry standards”
• “protect against anticipated threats or hazards to the security or integrity of such information”
• “protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud”
The regulation purports to apply to “all persons that own, license, store or maintain personal information about a resident” of Massachusetts.
The regulation defines “persons” to include natural persons, corporations, associations, partnerships and other legal entities, other than
Massachusetts state and local governmental entities. “Personal information” is defined as “a
Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or stateissued identification card number; or (c) financial account number, or credit or debit card number.”
Although this Alert focuses on business entities, the regulation purports to apply to any individual person or sole proprietor who maintains personal information about a resident of Massachusetts.
The regulation excludes from the definition of
“personal information” any information “that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.”
Many businesses with no other connection to
Massachusetts may have personal information subject to the regulation. For example, a personal check used by a Massachusetts resident to purchase goods or services from a small retailer in California contains a full name and account number and therefore qualifies as personal information covered by the regulation.
It is not clear how – and it is beyond the scope of this Alert to attempt to analyze how – the
Massachusetts regulation might be applied or enforced against entities that maintain covered information but have no other ties to
Massachusetts or its residents. For example, if a data storage service provider to a company that has Massachusetts employees or customers maintains personal data of the employees or customers on servers located in Iowa and has no other contacts with Massachusetts or residents of Massachusetts, query whether the OCABR or Massachusetts courts would have jurisdiction over the service provider to apply or enforce the regulation?
The regulation has two main substantive sections, the first of which imposes a duty to develop and implement a “comprehensive, written information security program applicable to any records containing” the personal information of Massachusetts residents.
(“Record” is defined as “any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.”) The second main substantive section of the regulation imposes certain security system requirements for computer and wireless networks.
January 2009 | 2

Privacy, Data Protection and
Information Management Alert
The regulation states that “[e]very person that owns, licenses, stores or maintains personal information about a resident of [Massachusetts] shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.” The regulation provides that the information security program must be “reasonably consistent with industry standards” and must “contain administrative, technical, and physical safeguards” that are
“consistent with the safeguards for protection of personal information … set forth in any state or federal regulations by which the person who owns, licenses, stores or maintains such information may be regulated.”
The regulation provides that an entity’s compliance with the requirement to maintain a
“comprehensive information security program” will be evaluated taking into account the entity’s size and scope of business, the amount of resources available to the entity, the amount of data stored by the entity, and “the need for security and confidentiality of both consumer and employee information.”
The regulation prescribes certain minimum elements that must be included in the required comprehensive information security program, including the following:
• Identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality or integrity of records containing personal information
• Evaluation and improvement of the effectiveness of safeguards against information security risks, including employee training and compliance and means for detecting and preventing security system failures
• Development of security policies for employees “that take into account whether and how employees should be allowed to keep, access and transport records containing personal information outside of business premises”
• “Taking reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information”
• Obtaining from third-party service providers a written certification that the service provider has a written, comprehensive information security program that is in compliance with the regulation. This is one of the requirements the effective date of which has been postponed until January 1,
2010, but even with that extension it may be difficult to obtain such a certification
• “Limiting the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected” and limiting both the time such information is retained and the access to such information to only those who are “reasonably required to know such information” to accomplish the purpose for which the information was collected or to comply with state or federal record retention requirements
This section of the regulation provides that a company’s comprehensive information security program must include “the establishment and maintenance of a security system that covers its computers, including any wireless system.” This section prescribes certain minimum required elements for the security system, including the following:
• Secure user authentication protocols, including control of user IDs, a reasonably secure method of assigning passwords
(or use of unique identifier technologies), control of data security passwords, and blocking access to user IDs after multiple unsuccessful attempts to gain access
• Secure access control measures that
(i) restrict access to records containing
January 2009 | 3

Privacy, Data Protection and
Information Management Alert personal information to only those who need such information to do their jobs and (ii) assign unique identifications and passwords to each person with computer access
• “To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly”
• “Encryption of all personal information stored on laptops or other portable devices”
(the requirement to encrypt personal information on “other portable devices” is the other provision the effective date of which has been postponed to January 1,
2010)
• “Reasonably up-to-date firewall protection and operating system security patches” for records containing personal information on a system connected to the Internet
The Attorney General of Massachusetts is charged with enforcement of the law under which the regulation was issued, Massachusetts General
Laws chapter 93H. The Attorney General may seek an injunction against violations of the law and regulation, and violators may be subject to a $5,000 civil penalty for each violation.
Whether a showing of harm or actual damages is a condition precedent to this penalty and how
“violations” will be counted for purposes of calculating the penalty will surely be litigated, and worst case outcomes create breathtaking possibilities. For example, if a business maintains 10,000 records that contain personal information of Massachusetts residents and the business is not in compliance with the regulation, it may be possible in a worst case scenario that the business could be assessed up to $50,000,000 in civil money penalties.
Given the relatively tough standards and requirements in the Massachusetts regulation, many businesses that maintain records containing the personal information of Massachusetts residents will likely need to either (a) substantially revise their existing information security programs to meet the requirements of the regulation or (b) for businesses or entities that may not already have a comprehensive, written information security program, create the kind of comprehensive, written information security program that is contemplated by the regulation and that contains at least the required minimum standards and elements.
K&L Gates has substantial experience advising clients with respect to information security programs and policies, and we would be pleased to assist businesses in reviewing and revising existing information security programs – or preparing new, comprehensive, information security programs – in light of the requirements of the Massachusetts regulation and other similar requirements under federal and state laws and regulations.
January 2009 | 4

Privacy, Data Protection and
Information Management Alert
Anchorage Austin Beijing Berlin Boston Charlotte Dallas Fort Worth Frankfurt Harrisburg Hong Kong London Los Angeles
Miami Newark New York Orange County Palo Alto Paris Pittsburgh Portland Raleigh Research Triangle Park San Francisco
Seattle Shanghai Spokane/Coeur d’Alene Taipei Washington, D.C.
K&L Gates comprises multiple affiliated partnerships: a limited liability partnership with the full name K&L Gates LLP qualified in Delaware and maintaining offices throughout the U.S., in Berlin, in Beijing (K&L Gates LLP Beijing Representative Office), and in Shanghai (K&L Gates LLP Shanghai
Representative Office); a limited liability partnership (also named K&L Gates LLP) incorporated in England and maintaining our London and Paris offices; a Taiwan general partnership (K&L Gates) which practices from our Taipei office; and a Hong Kong general partnership (K&L Gates,
Solicitors) which practices from our Hong Kong office. K&L Gates maintains appropriate registrations in the jurisdictions in which its offices are located. A list of the partners in each entity is available for inspection at any K&L Gates office.
This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer.
©2009 K&L Gates LLP. All Rights Reserved.
January 2009 | 5