Privacy, Data Protection and Information Management Alert
advertisement
Privacy, Data Protection and Information Management Alert October 7, 2009 Authors: Bruce H. Nielson bruce.nielson@klgates.com +1.202.778.9256 Tough Massachusetts Information Security Regulation is Revised and Postponed, Again – Are You Ready for the New Effective Date of March 1, 2010? This Client Alert reports on yet further revisions to, and a further postponement of the effective date of, Massachusetts’ tough information security regulation (201 CMR 17.00). Brief history: K&L Gates is a global law firm with lawyers in 33 offices located in North America, Europe, Asia and the Middle East, and represents numerous GLOBAL 500, FORTUNE 100, and FTSE 100 corporations, in addition to growth and middle market companies, entrepreneurs, capital market participants and public sector entities. For more information, visit www.klgates.com. • September 2008: the Massachusetts Office of Consumer Affairs & Business Regulation (OCABR) issues a tough information security regulation that purports to apply to all people and entities that use or maintain certain personal information of Massachusetts residents. The regulation was to take effect on January 1, 2009. • November 2008: in light of strenuous opposition to the regulation from the business community, the OCABR announces that the effective date for most of the regulation’s provisions is postponed to May 1, 2009, and that the effective date for a couple of provisions is postponed to January 1, 2010. • February 2009: the OCABR issues a revised regulation and postpones the effective date of the entire revised regulation to January 1, 2010. • August 2009: the OCABR issues a further revised regulation and postpones the effective date of the newly revised regulation to March 1, 2010. This Alert focuses on the latest revision to the Massachusetts information security regulation. Businesses that maintain personal information about Massachusetts residents will need to comply with the revised regulation in five short months. For more information about the regulation as first issued by the OCABR, please go to http://www.klgates.com/newsstand/Detail.aspx?publication=5216. What Does the Revised Regulation Require? The revised regulation continues to require that every business or entity of any kind (except a Massachusetts public agency) that “owns or licenses personal information” in a “record” about a Massachusetts resident “shall develop, implement, and maintain” a comprehensive written information security program (or WISP). Lest anyone think “owns or licenses” is a narrow phrase, the regulation defines the phrase as “receives, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.” The term “personal information” continues to be defined as a person’s first and last name or first initial and last name combined with any of the following: Social Security number, driver’s license or state-issued ID card number, or financial account or credit or debit card number (with or without any required password, security code, access code or personal identification number). The term “record” continues to mean “any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.” Privacy, Data Protection and Information Management Alert The regulation provides that the WISP must contain administrative, technical and physical safeguards for personal information that are “appropriate to (a) the size, scope and type of business . . .; (b) the amount of resources available . . .; (c) the amount of stored data; and (d) the need for security and confidentiality” of the personal information. This language was added in the latest revision of the regulation, and, according to the OCABR, it establishes a “risk-based approach” to information security for those subject to the regulation. The revised regulation continues to require that the safeguards contained in the WISP “must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.” • Imposing reasonable restrictions on physical access to records containing personal information • Regular monitoring of the operation of the comprehensive information security program • Reviewing the scope of security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information • Documenting responsive actions taken in connection with any breach of security, and conducting a mandatory post-incident review of events and actions taken (this effectively requires a written data breach response plan) • Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal information consistent with the regulation • Contractually requiring third-party service providers to implement and maintain appropriate security measures (but any contract with a service provider that is entered into before March 1, 2010 will be deemed to be in compliance even if it does not require the service provider to maintain security measures) Required Elements of a Comprehensive Written Information Security Program The revised regulation also continues to require that the WISP contain certain specific elements or features, including the following: • Designating one or more employees to maintain the program • Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality or integrity of any records containing personal information • Evaluating and improving safeguards for limiting risks, including employee training and compliance and means for detecting and preventing security system failures • Developing security policies regarding storage, access and transportation of records containing personal information outside of business premises • Imposing disciplinary measures for violations of security rules • Preventing terminated employees from accessing records containing personal information Computer System Security Requirements The revised regulation continues to require that, for businesses that electronically store or transmit personal information, the WISP include the establishment and maintenance of a computer security system (including any wireless system) that, “at a minimum, and to the extent technically feasible,” has the following elements: • Secure user authentication protocols, including control of user IDs, a “reasonably secure” method of assigning and selecting passwords (or use of unique identifier technologies, such as biometrics or token devices), control of data security passwords, restricting access to active users only, and blocking access to user October 7, 2009 2 Privacy, Data Protection and Information Management Alert identification after multiple unsuccessful attempts to gain access What is the Penalty for NonCompliance? • Secure access control measures that restrict access to personal information to only those who need such information to perform their jobs and that assign unique identifications plus passwords that are reasonably designed to maintain the security of the access controls • Encryption of all transmitted records and files that contain personal information and that will travel across public networks • Encryption of all data containing personal information that will be transmitted wirelessly The penalty for non-compliance with the revised regulation has not changed. The Massachusetts Attorney General is charged with enforcement of the regulation, and violators may be subject to a $5,000 civil penalty for each violation. What would have to be shown to establish a violation and how violations would be counted for purposes of calculating the penalty are issues that will likely be litigated. If violations are counted on a per-record basis, businesses with thousands of records containing personal information of Massachusetts residents could, in theory, face fines of tens of millions of dollars or more. • Encryption of all personal information stored on laptops or other portable devices • Reasonable monitoring of systems for unauthorized use of or access to personal information • Reasonably up-to-date firewall protection and operating system security patches that are reasonably designed to maintain the integrity of personal information for files containing personal information on a system that is connected to the Internet • Reasonably up-to-date versions of system security agent software, including malware protection and reasonably up-to-date patches and virus definitions • Education and training of employees on the proper use of the computer security system and the importance of personal information security A key difference between the revised regulation and earlier versions of the regulation is that the “technically feasible” qualifier now applies to all of the required elements of the computer security system, not just to the encryption requirements as was the case in earlier versions of the regulation. In a “Frequently Asked Questions” document released with the revised regulation, the OCABR defined “technically feasible” as meaning “that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used.” Will the Regulation be Revised and Postponed Again? If we knew the answer to this, we would probably be in a different line of work. However, we do know that the OCABR recently held a hearing on the latest version of the regulation and that the revisions to the regulation seem to have quieted some of the most vocal opponents to earlier versions of the regulation. It seems likely that this version of the regulation, or something very close to it, will in fact become effective on March 1, 2010. One remaining uncertainty is whether the regulation will be seriously challenged in court on constitutional or other grounds. How Can My Business Come into Compliance? Although the revised regulation is not as demanding as earlier versions, it is still a tough regulation that may require many businesses that receive, maintain or process personal information of Massachusetts residents to revise existing – or create new – WISPs to comply with the regulation by its March 1, 2010 effective date. We believe the Massachusetts regulation is an indication of where state and federal law on information security is headed, and we encourage all businesses that have not already done so to consider creating and implementing information security programs that comply with the heightened standards of the Massachusetts regulation, even if the businesses are not subject to the regulation. October 7, 2009 3 Privacy, Data Protection and Information Management Alert K&L Gates has substantial experience advising clients with respect to information security programs, policies and plans. We would be pleased to assist businesses in reviewing and revising existing information security programs – or in preparing and implementing new, comprehensive information security programs – in light of the Massachusetts regulation and other information security requirements under federal and state laws and regulations. Anchorage Austin Beijing Berlin Boston Charlotte Chicago Dallas Dubai Fort Worth Frankfurt Harrisburg Hong Kong London Los Angeles Miami Newark New York Orange County Palo Alto Paris Pittsburgh Portland Raleigh Research Triangle Park San Diego San Francisco Seattle Shanghai Singapore Spokane/Coeur d’Alene Taipei Washington, D.C. K&L Gates is a global law firm with lawyers in 33 offices located in North America, Europe, Asia and the Middle East, and represents numerous GLOBAL 500, FORTUNE 100, and FTSE 100 corporations, in addition to growth and middle market companies, entrepreneurs, capital market participants and public sector entities. For more information, visit www.klgates.com. K&L Gates comprises multiple affiliated partnerships: a limited liability partnership with the full name K&L Gates LLP qualified in Delaware and maintaining offices throughout the United States, in Berlin and Frankfurt, Germany, in Beijing (K&L Gates LLP Beijing Representative Office), in Dubai, U.A.E., in Shanghai (K&L Gates LLP Shanghai Representative Office), and in Singapore; a limited liability partnership (also named K&L Gates LLP) incorporated in England and maintaining offices in London and Paris; a Taiwan general partnership (K&L Gates) maintaining an office in Taipei; and a Hong Kong general partnership (K&L Gates, Solicitors) maintaining an office in Hong Kong. K&L Gates maintains appropriate registrations in the jurisdictions in which its offices are located. A list of the partners in each entity is available for inspection at any K&L Gates office. This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. ©2009 K&L Gates LLP. All Rights Reserved. October 7, 2009 4
