Massachusetts Agency Revises Information Security Regulations -- Yet Again

Image by Producer

In what appears to be an on-going effort to find the right balance between information security and burdens on businesses, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR) has materially revised—for a second time—regulations that were initially promulgated in October 2008, and has extended the compliance deadline for a third time. We have discussed the regulations in detail in prior blog posts. Consequently, we will only focus on the most recent revisions, which are described below:

  • New Compliance Deadline: The compliance deadline has been extended from January 1, 2010, until March 1, 2010.
  • Third-Party Service Providers: While the regulations still require that employers expressly address information security in their contracts with vendors who create or receive personal information on the employer’s behalf, employers now have until March 1, 2012, to negotiate amendments to vendor agreements entered into before the March 1, 2010 compliance deadline. Vendor agreement entered after that date must require that vendors implement and maintain “appropriate security measures to protect [Massachusetts] personal information” in a manner that is consistent with the regulations and applicable federal law.
  • Break For Small Businesses: The prior regulations applied equally to businesses of all seizes. The revised regulations are scalable. In other words, the “appropriate” administrative, technical and physical safeguards may vary depending on (a) “the size, type and scope of business” involved; (b) the business’ available resources; (c) “the amount of stored data”; and (d) “the need for security and confidentiality of both consumer and employee information.”
  • Elimination Of Several Onerous Requirements: OCABR has completely deleted requirements that data owners (a) collect only the minimum necessary personal information, (b) retain such information for only as long as is necessary to achieve the purpose for which the information was collected, (c) restrict access to personal information to those with a need to know, and (d) identify all locations and devices where personal information is stored. These requirements were among the most burdensome in the regulations as previously drafted.
  • Less Prescription: The revised regulations eliminate several provisions which specified how certain safeguards should be accomplished. First, the requirement to provide physical safeguards previously mandated “a written procedure that sets forth the manner in which access to . . . records [containing personal information] is restricted.” The revised regulations merely require “[r]easonable restrictions upon physical access to records containing personal information. Second, the previous regulations required that data owners restrict terminated employees’ access to personal information “by immediately terminating their physical access and electronic access to such records, including deactivating their passwords and user names,” whereas the revised regulations eliminates the quoted language. Third, rather than requiring a “comprehensive, written information security program,” the revised regulations now require a comprehensive information security program “that is written in one or more readily accessible parts.” Finally, the definition of “encryption” no longer requires “the use of an algorithmic process” so long as the process results in “the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.”

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.