New England Biz Law Update
Concerned lawyers and business leaders can breathe a little easier after learning that they have been given an additional five months to comply with sweeping new regulations governing data breaches in Massachusetts.
The Office of Consumer Affairs and Business Regulation, led by former Bar Counsel Daniel C. Crane, has announced that 201 CMR 17.00 — initially intended to take effect Jan. 1 — will now be implemented on May 1.
“The important thing now is that most of the regulations have been put off until May, but that is just breathing space,” said Mark E. Schreiber, chairman of Edwards, Angell, Palmer & Dodge’s privacy group. “The fact that we have a little more time was a nice little holiday present from Consumer Affairs, but this is a tectonic shift in Massachusetts that has created an enormous amount of work in terms of figuring out what has to be encrypted.”
Prompted in part by the 2007 revelation that a security breach at TJX Cos. led to the theft of more than 45 million customer credit and debit card numbers, OCABR quietly promulgated the regulations last September.
The first-of-its-kind CMR requires businesses, law firms and any other entities holding personal information about Massachusetts residents to adopt several new policies, including:
• establishing a comprehensive information security program that uses up-to-date firewall protection;
• inventorying all systems that hold personal information about Massachusetts residents; and
• encrypting all wirelessly transmitted data and documents sent over the Internet or saved on laptops or flash drives.
“This is a very significant event both for consumers and for businesses,” said David A. Murray, OCABR general counsel. “Until now, there has not been in Massachusetts, or anywhere else in the country, the kind of specific statement of the minimum standards that are going to be considered acceptable in the handling of personal information.”
Data policy
While Frank J. Kautz II, a staff attorney at the Community Service Network in Stoneham, credited the agency for promulgating the CMR, he questioned the manner in which it was passed.
“With no fanfare and absolutely no real jumping out and telling everybody, the [Office of Consumer Affairs] in two months is changing around entirely the way the commonwealth looks at these things, and it could really make everyone’s life quite miserable,” he said. “A lawyer who may barely know how to use a computer is going to have to try to figure out how to do encryption just to be able to comply with the law.”
Prior to the extension, Murray acknowledged that his agency had received many requests to push back the start date.
Joseph J. Laferrera, of Gesmer Updegrove in Boston, was one of those who said that Jan. 1 was not a realistic date for compliance.
“These are not general, ambiguous, amorphous requests from the state that ‘appropriate actions be taken,’” he said “The concern we have is that there are some very specific items in the regulations that businesses in Massachusetts are going to have to really look at and address in some level of detail, if they are going to be in full compliance.”
Schreiber noted that the breadth of the regulations makes compliance even more difficult.
“I’m not sure anyone has their hands around encryption, and the law has no exceptions,” he said. “It covers everybody that has information about a Massachusetts resident, and that includes law firms.”
In a Nov. 14 statement, Crane said many of the regulations are already widely used by Massachusetts companies.
“[B]ut we recognize that some businesses, currently facing economic uncertainties, will benefit from having additional time to comply,” he said. “The action taken today serves to provide flexibility to businesses working to implement the necessary measures to safeguard their customers’ personal information in a timely manner.”
According to Crane’s statement, the new deadlines are as follows:
• The deadline for ensuring that third-party service providers are capable of protecting personal information and contractually binding them is May 1, and the deadline for requiring written certification from third-party providers is extended to Jan. 1, 2010; and
• The deadline for ensuring encryption of laptops is extended to May 1, and the deadline for ensuring encryption of other portable devices will be further extended to Jan. 1, 2010.
Bad timing
With the possibility that violators could be subject to enforcement by the attorney general or a private cause of action, Kautz predicted the demand for legal services will rise.
“This new regulation could just as easily be called the ‘Lawyers Full Employment Act,’ with all the time we’ll be spending trying to explain to these businesses what they’re supposed to be doing,” he said. “The concern I have is that imposing this on everybody all at once, with no big ad campaign to tell us it’s out there, is dangerous.”
John R. Regan, executive vice president for government affairs for the Associated Industries of Massachusetts, said another controversial section of the CMR requires businesses to obtain a certification of compliance from service providers before allowing them to access personal information.
“Not all licensed service providers are even in Massachusetts, so you’re talking about people in other states and other countries,” he said.
With many businesses suffering as a result of the current economic crisis, Regan, whose group consists of 7,000 members, said that the timing of the regulations could not be worse.
“Our first concern is that there are an awful lot of companies that don’t know anything about it,” he said.
Responding to criticism about the lack of notice, Murray said his office has been in regular communication with numerous trade organizations, businesses, lawyers and chambers of commerce.
“We are trying to do what we can to get the word out, but is everyone going to know about this? I don’t think there is a single thing you can do to make that happen,” he said. “But we haven’t been hiding out. We’ve been out there trying to talk to as many business and consumer groups as we can.”
Pressure is on
In the meantime, lawyers say that with Chapter 93A sanctions a possibility, the consequences of an infraction could be costly.
“These are not general, ambiguous, amorphous requests from the state that ‘appropriate actions be taken,’” said Laferrera. “The concern we have is that there are some very specific items in the regulations that businesses in Massachusetts are going to have to really look at and address in some level of detail, if they are going to be in full compliance.”
Asked how aggressively AG Martha Coakley intends to pursue those suspected of non-compliance, spokeswoman Amie Breton declined to comment other than to say her office is still reviewing the role it will play in enforcement.
‘Concept of reasonableness’
In response to concerns about enforcement, Murray said that the CMR was not designed to treat every business the same.
The statute under which the CMR was enacted, and the regulation itself, both state that compliance is to be judged by taking into account the size and scope of a business, the resources it has available and the amount of data it stores, he pointed out.
“Lawyers should not be strangers to the concept of reasonableness — that’s all this kind of sliding scale to compliance does,” Murray said. “It is simply tailored to fit the particular circumstances of the business involved.”
Despite the criticism from the business community, Murray said the Office of Consumer Affairs is just following its mandate to create a specific set of standards for the handling of personal information.
“There is a balance we need to strike between the needs of businesses and the needs of the residents of Massachusetts to be protected from disruptions that lead to identity theft or fraud, and we think we’ve done that,” he said.
In an effort to determine precisely what an individual entity must do moving forward, Murray suggested lawyers and their clients view the agency’s checklist at mass.gov /Eoca /docs/idtheft/compliance_checklist
.pdf.
“We assume there are large numbers of businesses that are acting responsibly, and for those businesses I don’t anticipate there will be any huge burdens placed on them,” he said.
“But there are always those people who have been doing nothing and have been neglectful of the kind of attention we think is appropriate when it comes to people’s personal information. Those people are going to have some work to do.”
