Massachusetts Regulators Provide Significant Insight Into Enforcement of Stringent Information Security Regulations That Are Effective as of Today (March 1, 2010)

Touted as the most stringent information security regulations to date, Massachusetts’ requirements—applicable to both customer and employee personal information—mandate the implementation of a comprehensive written information security program. As explained in previous blog posts, the regulations require “cradle-to-grave” protections for the following categories of information about Massachusetts residents when combined with first name or initial and last name: Social Security number, driver’s license and other government-issued identification number, debit or credit card number, and financial account number. One critical question for organizations, particularly those grappling with tightened budges, is where to focus limited resources in light of the enforcement risk. Recent statements by Massachusetts regulators provide a view towards the answer.

In an interview published on February 27 in BNA’s Privacy and Security Law Report, the director of the agency that promulgated the regulations, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR), made three statements that could have an important bearing on enforcement. First, OCABR takes the position that the regulations apply even when the personal information of Massachusetts employees is stored in a centralized human resources database located at a corporate headquarters outside of Massachusetts. Second, in the director’s view, employers have virtually no excuse for failing to encrypt personal information stored on laptops. Third, although current technology does not permit encryption of personal information stored on a hand-held device, such as a Blackberry® or a Smartphone®, employers should consider other steps that will limit the risk to Massachusetts personal information if the hand-held device is lost or stolen.

During a presentation at the Massachusetts Information Security Summit on January 27, the chief of the consumer protection division for Massachusetts’ Office of the Attorney General, which will be responsible for enforcing the regulations, suggested that his office will not be conducting compliance audits. Rather, the office will select potential targets for enforcement from security breach notifications. Under Massachusetts law, such notifications must be sent to affected Massachusetts residents and to the Attorney General’s Office when unencrypted Massachusetts personal information has been acquired or used by an unauthorized person in a manner that creates a substantial risk of identity theft or fraud.

Given that the loss and theft of portable devices is one of the likeliest causes of a security breach and in light of these regulators’ recent statements, employers can substantially reduce the risk of an enforcement inquiry or action by focusing particular attention on those devices. Policies to consider include the following:

  • Prohibit employees from storing personal information on a laptop except in those limited circumstances, such as the need to work on an airplane, where the information can not be accessed through a secure, remote connection to the corporate server;
  • In the limited circumstances where employees can permissibly store personal information on a laptop, require the installation of disk-based encryption and the deletion of the personal information from the laptop when the business purpose has been accomplished;
  • Train employees not to store any personal information on a hand-held device and to immediately report the loss or theft of a hand-held device so that the company can send a “kill signal” that will delete all information from the device;
  • Train employees to save an e-mail or attachment containing personal information to the network server and permanently delete the e-mail from their e-mail inbox, thereby eliminating the ability to access those e-mails from a hand-held device; and
  • Multi-state employers should consider applying these steps to all employees, not just those located in Massachusetts. 

This entry was written by Philip L. Gordon.

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.