Financial Services Alert
August 2007
Authors:
Henry L. Judy 202.778.9032
www.klgates.com
New Massachusetts Identity Theft Prevention
Law Breaks New Ground
henry.judy@klgates.com
Holly K. Towle
206.370.8334 holly.towle@klgates.com
Sean P. Mahoney 617.261.3202
sean.mahoney@klgates.com
K&L Gates comprises approximately 1,400
lawyers in 22 offices located in North
America, Europe and Asia, and represents
capital markets participants, entrepreneurs,
growth and middle market companies,
leading FORTUNE 100 and FTSE 100
global corporations and public sector
entities. For more information, please visit
www.klgates.com.
On August 2, 2007, Massachusetts Governor Deval Patrick signed into law Chapter 82 of
the Acts of 2007 entitled, “An Act Relative to Security Freezes and Notification of Data
Breaches” (the “Act”). The Act contains three main components: (1) mandatory notification
requirements to be followed upon a data security breach; (2) data disposal requirements; and
(3) a “security freeze” procedure applicable to credit bureaus to allow consumers to mitigate
identity theft. Unlike similar statutes in other states,1 the Act applies to everybody—natural
persons, corporations and government agencies alike. The Act purportedly applies to anyone
who holds information relating to Massachusetts residents—not just persons who conduct
business in Massachusetts—thus creating issues regarding its constitutionality. Penalties
for non-compliance range from treble damages plus attorneys fees (recoverable by the
Massachusetts Attorney General) for the security breach notice provisions, to fines of up
to $50,000 per violation for failure to comply with the data disposal requirements. The
notification and security freeze provisions become effective October 31, 2007, while the
data security provisions become effective February 3, 2008. Each component of the Act is
discussed below.
Data Security Breach Notification Requirements
The Act creates a new Chapter 93H in the General Laws, requiring that agencies adopt
data security regulations. It also provides a notification procedure in the event of a data
security breach affecting personal information pertaining to residents of Massachusetts. The
applicability of the statute is not limited to businesses, but includes all natural persons as well
as legal entities and Massachusetts governmental agencies.2
“Personal information” subject to Chapter 93H includes a resident’s first and last name, or a
resident’s first initial and last name and any one or more of the following: (a) social security
number, (b) driver’s license or state-issued identification card number, or (c) “financial
account number.” For a financial account number to be considered as causing the name
information to be “personal information,” the Act does not require compromise of a PIN or
other identifier that would permit access to the account. This is different from most other
state statutes of this kind and questionable as policy matter. Additionally, the Act does not
provide any definition as to what constitutes a “financial account.” “Personal information”
explicitly excludes any data that is lawfully obtained from publicly available information.
Indirectly, it also excludes non-electronic information: the definition of “breach of security”
pertains only to electronic data, although the failure of the Act consistently to use that defined
term creates some ambiguities.
Holders of personal information are divided into two categories: (1) persons who “own or
license” personal information and (2) others who “maintain or store” covered information.
1
2
For a list of these statutes and a discussion of them, see a treatise co-authored by one of the authors of this
alert: see Holly K. Towle and Raymond T. Nimmer, The Law of Electronic Commercial Transactions (2003-07, A.S. Pratt & Sons) at Chapter 16.08[3].
The definition of “agency” under the Data Disposal provisions (discussed below) is not limited to Massachusetts governmental agencies.
Financial Services Alert
This dichotomy seems necessary in order to allocate
responsibilities among those who have a relationship
to the subject of the information and those who
merely process the information. But, like statutes
in other states, the Act does not elaborate on who
“owns” or “licenses” personal information, an issue
that is complex in modern law. Under a wide variety
of circumstances, residents, retailers, card issuers,
service providers and other participants in our complex
economy can and may have a good basis for arguing
that they are or are not owners, licensors or licensees
of different personal data elements. The Act does not
resolve these fundamental underlying ambiguities. It
can be expected that the applicable regulatory agencies
and the courts will need to address them. As discussed
below, these distinctions are not just theoretical but
have important compliance consequences under the
Act.
“Maintaining” or “storing” information is a separate
category of “holding” and would include the activities
of at least some service providers. However, the scope
of this separate category is not clear. For example, if
a service provider processes information and holds it
only temporarily in cache, does that service provider
maintain or store it within the terms of the statute?
Natural persons are subject to the Act and maintaining
or holding is not limited to doing so for businesses
purposes. Hence, a security breach involving home
records (e.g., family personal information held by a
sibling) is literally covered by the Act.
The foregoing scheme appears to assume that it will
be clear in most cases exactly which persons are
owners or licensors and which simply maintain or
store the personal information and that a breach may
not involve a range of data elements, some which are
held in different capacities. This is not unlike the
ambiguity that arises under the EU Data Protection
Directive as to who is a “controller,” “co-controller,”
“processor” or “sub-processor” with respect to different
data elements.
The obligation to provide a notice is triggered if the
person (1) knows or has reason to know of a “breach
of security,” a defined term, or (2) knows or has reason
to know that the personal information of a resident
was acquired or used by an unauthorized person or
used for an unauthorized purpose. The term “breach
of security” is defined to include the “unauthorized
acquisition or unauthorized use of unencrypted data or,
encrypted electronic data and the confidential process
or key that is capable of compromising the security,
confidentiality, or integrity of personal information,
maintained by a person or agency that creates a
substantial risk of identity theft or fraud against a
resident of [Massachusetts].” Thus, at least when the
term “breach of security” is used,3 to constitute such
a breach an event must create a “substantial risk” of
identity theft or fraud. This is consistent with federal
guidance for financial institutions and avoids the
problems created by some of the state statutes that
force notices in circumstances where there really is
no reasonable risk. For example, such notices can
have the effect of encouraging consumers to seek new
numbers when such is not warranted and causing them
to ignore all notices as being just more paper.
With respect to encryption, the Act appears to be the
first of the state statutes to define the level of encryption
required (“encrypted” is defined as a process using 128
bit key length or higher4). At least three issues are
raised: (1) a covered entity that has encrypted at lower
levels to come within encryption exemptions under
other state statutes will need to revamp its systems as to
Massachusetts; (2) the Massachusetts exemption is not
as robust as under some of the other state statutes since
even encrypted data might trigger the need to provide
notice if a data key is exposed; and (3) the robustness
of the encryption is defined solely in terms of key
length and does not consider the relative strengths of
the different algorithms that might be used.
Notice of a breach of security must be sent “as soon
as practicable and without unreasonable delay.” A
Unfortunately, the Act is fundamentally ambiguous on whether such a breach is required: clearly a breach of security is the trigger point for subsection (1) of this paragraph, but subsection (2) does not use that defined term and literally simply requires acquisition or use by an unauthorized person or for an unauthorized purpose. It is unlikely that the legislature intended, for purposes of subsection (2), to cast aside all of the concepts inherent in the definition of “breach of security” (such as the requirement for electronic data and substantial risk of harm), but such is not clear. Hopefully the regulations will remedy this ambiguity.
3
A California regulator has suggested in a “best practices” guide that encryption meet standards set by the National Institute of Standards and Technology’s Advanced Encryption Standard, but the guide itself explains that it has no legal significance (“The recommendations offered here are neither regulations, nor mandates, nor legal opinions.”) See “Recommended Practices on Notice of Security Breach Involving Personal Information” (2/07, CA Office of Privacy Protection).
4
August 2007 | Financial Services Alert
person who “owns or licenses” personal information is
required to send notice to the Massachusetts Attorney
General, Director of the Office of Consumer Affairs
(“Consumer Affairs”) and to each resident affected by
the security breach or potential unauthorized acquisition
or use. If the reporting person is an agency within
the executive branch of Massachusetts government,
it must also notify the Division of Public Records.
After receipt of a notice, Consumer Affairs is then
required to provide the reporting person with a list
of state agencies and credit bureaus that must also be
notified of the incident. The provision of notice may
be delayed if a law enforcement agency (a) determines
that giving notices may impede a criminal investigation
and (b) notifies the Attorney General in writing of such
determination. But once the law enforcement agency
notifies the reporting person that the notice may be
given without risk of impeding an investigation, the
notice must be given promptly.
The notice provided by a person owning or licensing
personal information to the Attorney General and the
Consumer Affairs must specify: (1) the nature of the
breach of security or unauthorized acquisition or use,
(2) the number of Massachusetts residents affected by
the incident at the time of notification, and (3) any steps
the reporting person has taken or plans to take relating
to the incident.
It is critical to note that the notice provided to residents is
distinctly different. It must include: (a) the consumer’s
right to obtain a police report, and (b) information
instructing a consumer how to effect a security freeze
on his or her credit report, but may not disclose the
nature of the incident or the number of Massachusetts
residents affected thereby. This later requirement,
i.e., the prohibition on describing the incident or the
numbers affected, directly contradicts several other
“security breach notice” statutes which expressly
require at least a general description of the breach.5
Thus, a person sending notice in the form required
by those states will violate Massachusetts law, and a
person sending the notice required in Massachusetts
will violate the laws of other states. In short, and
assuming any of the statutes are constitutional, special
notices for Massachusetts will need to be crafted.
Persons who maintain or hold personal information
are required to send notice to the “owner or licensor”
and to cooperate with such owner or licensor, but
cannot be required to send notices to the residents
that are the subject of the information at risk. Such
holders are required to cooperate by providing the
owner or licensor with: (a) the nature of the breach
of security or unauthorized acquisition or use, (b) the
date or approximate date of the incident, and (c) any
steps the holder has taken or plans to take relating to
the incident. The holder is not required to provide any
information to an owner or licensor of the information
that constitutes confidential business information or
trade secrets.
Notices may be made in writing or electronically
consistent with the E-Sign Act6 and the analogous
provision of Massachusetts law, Mass. Gen. L. ch.
110G. If the person or agency required to provide
notice demonstrates that (a) the cost of providing
written notice will exceed $250,000, (b) if notice
is required for more than 500,0000 Massachusetts
residents, or (c) if the person or agency does not have
sufficient contact information to provide notice, then
a “substitute notice” may be provided.
A “substitute notice” is notice that includes the
following three elements: (1) e-mail notice, if the
person or agency has e-mail addresses of affected
Massachusetts residents; (2) a clear and conspicuous
posting of the notice on the home page of the person
or agency if the person or agency maintains a website;
and (3) publication in or broadcast through media or
medium that provides notice throughout Massachusetts.
Substitute notices can have the effect of promoting
identity theft by alerting identity thieves to a problem
they can “solve” (e.g., by sending “phishing” emails
offering to “correct” the resident’s account if only the
resident will confirm their account number). Although
other state statutes have similar provisions, the vast
majority of them also allow notice to be provided in
compliance with the reporting persons’ information
See e.g., NC GS § 75-65(d) (notice must include description of the “incident in general terms”) and N.H. Rev. Stat. tit. XXXI,
§ 359-C:20 (same); see also e.g., Michigan S.B. 309 (notice must “describe the security breach in general terms”).
5
The Electronic Signatures in Global and National Commerce Act, Pub. L. No. 106-229, 114 Stat. 464 (2000) (codified at 15 U.S.C.
§ 7001 et seq.). This wording, which exists in most of the state statutes, is another example of ambiguity in the Act.
6
August 2007 | Financial Services Alert
security policy. Such provisions allow parties to
have a privacy/information policy, for example, that
allows use of a more private form of notice such as
via email. Federal guidance for financial institutions
similarly allows email notice per agreement and
without compliance with the provision of E-Sign
referenced in the Act. The Act, however, contains
no such provisions, so may promote what it hopes to
prevent, identity theft.
A person that maintains procedures for responding to
a breach of security pursuant to federal laws, rules,
regulations, guidance, or guidelines, and provides
notice in accordance with such procedures, is deemed
to comply with the Act if that person also provides a
notice to the Attorney General and Consumer Affairs
of the breach as soon as practicable. The notice must
describe any steps the person or agency has taken
or plans to take relating to the breach pursuant to
the applicable federal law, rule, regulation, guidance
or guidelines. Whether this state gloss on federal
law is preempted remains to be seen and may depend
upon the underlying federal law and the scope of its
preemption (or lack thereof).
Several Massachusetts governmental agencies are
required to adopt regulations designed to protect the
“personal information” of Massachusetts residents.
Consumer Affairs is charged with promulgating
regulations that will apply to persons that own or
license personal information relating to Massachusetts
residents. The Massachusetts legislature, judiciary,
Attorney General, Secretary of State, Treasurer and
State Auditor are required to adopt rules or regulations
governing their own safe-keeping of personal
information relating to Massachusetts residents. The
Massachusetts Supervisor of Records is charged with
promulgating regulations that will apply to all other
state agencies.
The Attorney General is explicitly authorized to pursue
violations of the Act under the Massachusetts Unfair
and Deceptive Acts and Practices (“UDAP”) statute.
UDAP statute allows penalties treble damages plus
attorneys’ fees.
Data Disposal Requirements
The Act also creates a new Chapter 93I of the
Massachusetts General Laws. The new chapter
requires any person holding “personal information”
on a resident of Massachusetts to follow certain
procedures in disposing of such information. Chapter
93I does not become effective until February 3, 2008,
and like the Act, creates constitutional questions.
The definition of “personal information” in Chapter 93I
is identical to the definition in Chapter 93H (relating to
data security breach notification) with two exceptions:
(1) Chapter 93I applies to non-electronic information
as well as electronic information; and (2) the 93I
definition also includes name and biometric indicator
as personal information. Thus, on both grounds a
fingerprint card with a Massachusetts resident’s name
would be subject to Chapter 93I (data disposal) but for
both reasons would not be covered by Chapter 93H
(data security).
Chapter 93I is applicable to individuals in their
completely personal capacities. Thus, if any person,
apparently regardless of location, wishes to dispose
of his or her computer, cell phone, PDA or other
device and that device contains personal information
concerning any Massachusetts resident, that person
must dispose of the device in accordance with Chapter
93I. As discussed below, the requirement would
appear to extend also to computer vendors that have
environmentally friendly programs for the disposal of
such devices.
New Chapter 93I imposes requirements for any
Massachusetts government agency or person disposing
of records containing personal information relating to
Massachusetts residents. Paper documents containing
personal information must be “redacted, burned,
pulverized or shredded so that personal data cannot
practicably be read or reconstructed.” Non-paper
personal information must be “destroyed or erased so
that personal information cannot practicably be read
or reconstructed.”
Service providers that provide disposal services must
implement and monitor compliance with policies and
procedures designed to prohibit unauthorized access
to or acquisition of or use of personal information
“during the collection, transportation and disposal
of personal information.” This requirement raises
certain implementation questions. First, the absolute
term “prohibit” appears to set a high and perhaps
unreachable standard. Second, practice differs in the
disposal industry as to whether a service provider
that collects older computers for disposal or erasure
acquires title at the time of collection or simply takes
them on consignment. The distinction matters for
August 2007 | Financial Services Alert
insurance, environmental law and other purposes. At
the time of collection is the service provider an owner
or licensor of any personal data on the hard drives for
notice purposes? Or is the entity that engaged the
service provider?
Note that Chapter 93I does not impose any condition
that a service provider or other person disposing of
personal information have any knowledge that he,
she or it even possesses the personal information.
An owner of a public waste receptacle could
conceivably violate Chapter 93I if members of the
public place items containing personal information in
that receptacle; town governments that collect waste
from residents may need to be concerned that any
personal information contained in household waste is
properly disposed of; and even consumers will need
to be careful of disposing of their credit card imprint
receipts and family records. Ironically, a new form
of “dumpster diving” may occur as service providers
inspect previously uninspected garbage in order to be
able to comply with the statute. A similar disposal rule
at the federal level was accompanied by an explanation
that waste containing covered information must be
so marked by the party disposing of it;7 although that
approach has its own problems, it at least gives the
service provider a fighting chance.
Violations of Chapter 93I are subject to fines of up
to $100 per item of data affected up to a maximum
of $50,000 for each instance of improper disposal.
Additionally, the Attorney General is explicitly
authorized to pursue violations Chapter 93I under the
Massachusetts UDAP statute.
Security Freeze Provisions
The Act adds a new Section 62A to Chapter 93 of
the Massachusetts General Laws creating the core
of the new security freeze right. A Massachusetts
“consumer” may request a security freeze on his or her
credit report (i.e. the report maintained on a consumer
by a credit bureau).
The credit bureau receiving the request then has three
business days from the date of receipt of the request
to effect the security freeze and five business days to
notify the consumer in writing that the freeze is in
effect. Within five business days of a request, a credit
bureau is required to provide the consumer with a PIN
or password to use in order to remove the security
freeze or to authorize the release of information to
a specific creditor. A credit bureau is required to
release a security freeze within three business days of
a consumer request and may charge a fee of up to $5
unless the consumer is a victim of identity theft.
Once a security freeze is in place, the credit bureau may
not release a credit report relating to a consumer to any
person without the consumer’s express authorization,
subject to the exemptions described in the following
paragraph. While a security freeze is in place, a credit
bureau cannot change a consumer’s name, date of birth,
social security number, or address in that consumer’s
credit report without sending a written confirmation
of the change to the consumer within 30 days of the
change.
Even if a freeze is in effect, a credit bureau may
release the related consumer’s credit report to any of
the following: (a) a creditor (or agent of a creditor)
of the consumer, (b) a proposed assignee of an
obligation of the consumer if the consumer has an
existing relationship with the proposed assignee, (c)
any government agency, law enforcement agency, or
trial court acting pursuant to a court order, warrant
or subpoena; (d) the Massachusetts child support
agency; (e) the executive office of health and human
services or its agents or assigns acting to investigate
Medicaid fraud; (f) a person using credit information
for the purposes of prescreening as provided for by
the federal Fair Credit Reporting Act (i.e. credit card
companies preparing pre-approved offers of credit);
(g) any credit file monitoring service to which the
consumer has subscribed; (h) any person acting solely
for the purpose of providing a consumer with a copy
of his consumer report upon the consumer’s request;
or (i) to any property and casualty insurer licensed
by Massachusetts for use in rating or underwriting
insurance policies.
Interestingly, all notifications are required to be
delivered by consumers to credit bureaus via postal
mail or overnight courier. Additionally, a consumer
would have to notify each of the credit bureaus in this
way to effect a security freeze. This would make the
security freeze a cumbersome procedure in the event
Holly K. Towle and Raymond T. Nimmer, The Law of Electronic Commercial Transactions (2003-07, A.S. Pratt & Sons) at Chapter 16.12.
7
August 2007 | Financial Services Alert
of actual danger of identity theft. A thief could obtain
credit instantaneously via electronic means, while the
procedure for preventing this must be done by paper
and physical delivery. The prohibition against use
of electronic methods of delivery may also create
questions under federal law restricting the powers of
states to discriminate against e-commerce. Similarly,
the restriction on the release of all information by
credit bureaus may raise constitutional issues.
Because a consumer may request a security freeze at
any time—whether or not the consumer reasonably
believes that he or she is vulnerable to identity theft—
the open-ended nature of the security freeze effectively
gives consumers a new right to control dissemination of
their credit reports. Moreover, the security freeze may
only be removed at the consumer’s direction unless
that consumer has “misrepresented a material fact” in
which case the credit bureau may lift the freeze with
five days prior notice to the consumer. Accordingly
and ironically, the danger of an identity thief instituting
a security freeze after changing the address on the
consumer’s credit report may create a greater risk to
consumers than existed before.
Coverage of the Act
The Act has the potential to affect a large number of
persons, businesses and government agencies within
the reach of Massachusetts’ jurisdiction. The sole
criterion subjecting one to the Act is the possession
of personal information relating to a Massachusetts
resident. There is no requirement that the personal
information be used in commerce or that the person
holding the information has any other contact to
Massachusetts (other than contacts sufficient to warrant
jurisdiction). Although the Act will have minimal
impact on financial institutions—they are already
subject to many similar requirements under federal law
and regulatory guidance—many others may be caught
off guard by the asserted breadth of the Act. It is
therefore important for any person, business or agency
holding personal information relating to Massachusetts
residents to assess the impact of the Act on it.
K&L Gates comprises multiple affiliated partnerships: a limited liability partnership with the full name Kirkpatrick & Lockhart Preston Gates Ellis LLP qualified
in Delaware and maintaining offices throughout the U.S., in Berlin, and in Beijing (Kirkpatrick & Lockhart Preston Gates Ellis LLP Beijing Representative
Office); a limited liability partnership (also named Kirkpatrick & Lockhart Preston Gates Ellis LLP) incorporated in England and maintaining our London
office; a Taiwan general partnership (Kirkpatrick & Lockhart Preston Gates Ellis) which practices from our Taipei office; and a Hong Kong general
partnership (Kirkpatrick & Lockhart Preston Gates Ellis, Solicitors) which practices from our Hong Kong office. K&L Gates maintains appropriate registrations
in the jurisdictions in which its offices are located. A list of the partners in each entity is available for inspection at any K&L Gates office.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied
upon in regard to any particular facts or circumstances without first consulting a lawyer.
Data Protection Act 1998—We may contact you from time to time with information on Kirkpatrick & Lockhart Preston Gates Ellis LLP seminars and with our
regular newsletters, which may be of interest to you. We will not provide your details to any third parties. Please e-mail london@klgates.com if you would
prefer not to receive this information.
©1996-2007 Kirkpatrick & Lockhart Preston Gates Ellis LLP. All Rights Reserved.
August 2007 |