Two new laws in Massachusetts require any person or organization with access to records containing personal information about Massachusetts residents to protect those records.
Chapter 93H mandates that security precautions be taken and notice be provided in the event of any unauthorized access to, or use of, personal information. Chapter 93H went into effect on Oct. 31, 2007. The other new law, Chapter 93I (effective Feb. 3), imposes certain destruction requirements for any records, paper or electronic, containing such information.
Although these new laws were a legislative response to recent credit security breaches, such as last year’s TJX incident, the laws are broadly written and apply to a wide range of organizations, including any employer with records bearing an employee’s name and social security number.
All organizations subject to Chapters 93H and 93I must comply with these new data management requirements or face monetary penalties and potential suit brought by the Massachusetts Attorney General.
If your organization does not yet have policies in place addressing data protection, security breaches, and destruction, they need to be prepared and implemented immediately.
Also, contracts with third parties handling personal information, including data vendors and payroll companies, should be modified to include safeguard and notice requirements. Organizations subject to another state or federal law governing data use and/or privacy, such as the Health Insurance Portability and Accountability Act (HIPAA), should be sure to consider the ways in which Chapters 93H and 93I may align with, or differ from, other applicable laws when determining best practices for achieving compliance.
On Dec. 17, 2007, the Massachusetts Office of Consumer Affairs and Business Regulation issued proposed regulations, 201 CMR 17.00, implementing the security requirements in Chapter 93H. The comment period on these regulations ended Jan. 11. At the time of this writing, it is unclear whether the regulations will be modified prior to promulgation in final form.
Notably, organizations subject to, and in compliance with, any other law governing data security, such as HIPAA, are deemed to comply with Chapter 93H, so long as the security breach notifications discussed below are provided.
Specific sections of the new laws are highlighted below.
Identifying ‘personal information’
The laws define “personal information” as a Massachusetts resident’s first name or initial and last name, plus at least one of three additional identifying data: (a) Social Security number; or (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number.
Personal information can be in paper or electronic form.
A document containing a Massachusetts resident’s full name and address would not constitute personal information, nor would a document containing the resident’s initials and Social Security number, but those two documents maintained together in a single file or electronic record would qualify as personal information.
Initial security measures
The proposed regulations prescribe specific security measures for protecting personal information. Every organization that “owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.”
The safeguards maintained in the comprehensive information security program (CISP) must be “reasonably consistent” with industry standards and any otherwise applicable state or federal law, such as HIPAA.
All CISPs must contain at least 11 distinct components, including: a designated employee to maintain the CISP; contractual representations from third party service providers that they have adequate protection for personal information; disciplinary measures for violations of the CISP rules; and a process for documenting responsive actions taken in connection with any security breach.
Any organization that electronically stores or transmits personal information must include another nine components in its CISP, including: user authentication protocols; access control measures; encryptions; employee education and training; and a written procedure for restricting physical access to computerized personal information records.
Providing notice
In the event of any unauthorized access to or use of personal information, Chapter 93H mandates prompt reporting of the incident. Any organization owning or licensing data containing personal information that “knows or has reason to know that the personal information . . . was acquired or used by an unauthorized person or used for an unauthorized purpose” must issue notice of the breach to: (1) the Massachusetts Attorney General; (2) the Director of Consumer Affairs; and (3) the affected Massachusetts resident.
Organizations that maintain or store such personal data, rather than directly owning or licensing it, must only provide notice to the data owner/licensee. The owner/licensee must then make the three above required notifications.
Destroying personal information
Chapter 93I will require all organizations that dispose of records containing personal information to destroy such records, whether paper or electronic, “so that personal information cannot practicably be read or reconstructed.” Paper records containing personal information should be shredded or burned.
Electronic records containing personal information must be fully erased, a process that generally requires rewriting over the space on the storage media where the records formerly existed. Organizations may contract with third parties such as data management companies to appropriately destroy records, as long as the third party implements and monitors compliance with the security provisions in Chapter 93H. Contracts with these third parties should now include explicit data safeguard requirements. Organizations should train employees about the new destruction requirements. Simply tossing paper into the recycle bin or pressing the “delete” key will no longer suffice.
Penalties for failing to comply
Any organization that violates Chapter 93I faces a civil fine of up to $100 per affected person, with a total possible fine of $50,000 for each instance of improper disposal. Failure to comply with Chapter 93H or 93I may subject the offender to a suit by the Attorney General under Chapter 93A, the consumer protection law. Violations may mean triple damages, as well as attorneys’ fees and legal costs.
Rebecca Rausch practices in the health care group of the Boston law firm of Krokidas and Bluestein, representing hospitals, community health centers, group care facilities, special education schools, nursing homes, and other health care providers. She focuses on litigation, corporate governance, and regulatory compliance, including HIPAA and other privacy concerns. Rebecca can be contacted at 617.482.7211 or [email protected].