With the first anniversary of the Massachusetts Data Security Regulations, 201 CMR 17 (pdf) (“Regulations”), coming in March, the International Association of Privacy Professionals (IAPP) recently hosted a panel discussion providing direct access to the Massachusetts Attorney General's Office and the Office of Consumer Affairs and Business Regulation to discuss their investigations to date and their current approach to enforcement. Panelists included Scott Schafer, Chief of the Consumer Protection Division, Massachusetts Attorney General's Office; Shannon Choy-Seymour, Assistant Attorney General, Consumer Protection Division, Massachusetts Attorney General's Office; Jason Egan, Deputy General Counsel, Massachusetts Office of Consumer Affairs and Business Regulation; and Lam Nguyen, Director (Digital Forensics), Stroz Friedberg LLP.

Scott Schafer opened with an overview of the enforcement actions to date and the daily reviews his office conducts. Schafer noted at the outset, the Attorney General’s (AG) current enforcement approach is not audit based due to insufficient resources. However, the AG is receiving a daily average of three to four data breach notifications pursuant to Massachusetts General Laws Ch. 93H (the “Notice Law”), and each breach report is closely reviewed. According to Schafer, the AG’s Office is looking for warning signals that may indicate noncompliance with the Regulations that would trigger a detailed investigation. Some of the circumstances likely to trigger a detailed investigation include:

• The reporting entity knew of the breach, but failed to notify affected individuals as required by the Notice Law.
• A Written Information Security Plan (WISP) cannot be produced.
• The WISP is inadequate, or had significant gaps because of a lack of due diligence in the risk assessment process.
• The compromised data was stored or maintained in circumstances not compliant with the “reasonable” security required by the Regulations.
• Unfairness or deception around the purpose for which the data was originally collected.
• Collected data that was subsequently used for purposes not disclosed to consumers, or where the collection itself is not disclosed leading to unfairness or deception to Massachusetts residents.

Shannon Choy-Seymour stated that she typically will ask to review a business’ WISP if the notification of security breach submitted to the AG revealed non-compliance with the Regulations. According to Choy-Seymour, she takes into account the size and scope of the business in question and the sensitivity of the data compromised when deciding whether to ask the business to submit its WISP. The AG recognizes that achieving full compliance may be a longer process for small businesses. In particular, Choy-Seymour stated the WISP must identify who is in charge of the businesses’ information security program, demonstrate the required risk assessment to create a reasonable plan, and include employee training. Further, “reasonable” steps toward compliance with the relevant policies should be evident, and when in place can reduce the risk of enforcement actions even if full compliance has not yet been achieved.

Businesses should carefully review the data handling and protection practices of vendors. If a business notifies the AG of a security breach caused by a vendor, the AG likely will not subject the business to a full investigation where the business can produce (a) evidence of due diligence conducted by the business before selecting the vendor, or (b) a contract that addresses the vendor’s obligations to protect the security of personal information received from the business.

Scott Schafer advised businesses to notify his office in virtually all cases of a suspected breach. He stated that

[E]veryone should know that not notifying us is the first mistake.”

He pointed out that although encryption can be regarded as a “safe harbor” from the statutory breach notification obligation, that is not the case where the breach also compromised the encryption key, which (according to Schafer) occurs with relative frequency. Schafer pointedly advised that all back-up media tapes should be encrypted and handled with appropriate safeguards while in transit to a vendor for disposal. Further, Schafer opined that encryption algorithms that are unbreakable today are likely to be broken in the near future as computing power continues to increase. If a business relies upon inadequate encryption to justify a decision not to comply with the Notice Law, the AG will view the failure to notify as a violation subject to fine. The AG will assist businesses by reviewing and suggesting revisions to proposed breach notices that must be sent to Massachusetts residents to report a data breach under the Notice Law.

The implementation of the Regulations is still evolving, but the Massachusetts Attorney General's Office and the Office of Consumer Affairs and Business Regulation is taking a collaborative approach to enforcement. They are working with businesses to improve administrative, physical and technical safeguards for personal information of Massachusetts’ residents and to create and maintain the policies and practices that ensure the protections remain current. Schafer noted in closing that he is in frequent contact with his counterparts in other states and territories with data breach notification laws. He often compares notes on which businesses have given notice of recent incidents. Schafer noted that data breach notifications are public record and are accessible under the Freedom of Information Act.

The AG’s office continues to meet with local Chambers of Commerce and small businesses in Massachusetts to close the gap between education and compliance. Businesses that have the resources and are of medium and large scope and size should not expect the same leniency. Such businesses must have the required administrative, physical and technical safeguards in place and conduct the appropriate risk assessment with respect to their employee and customer information. They also must provide privacy training to their telecommuting workforce subject to the Regulations. Businesses should ensure that they have the necessary policies and risk assessments in place to protect valuable employee and customer information and offer training for employees in the policies that are implemented to safeguard that information.

This entry was written by Ellen M. Giblin.

Photo credit: callum bennetts