Data Security Law - Are You in Compliance?

Area Businesses Burdened By New Law

(2/9/09) SFABA members including craftspeople, retail shops, restaurants, lodging, associations and non-profits, financial services, insurance, accounting and other employers have new data management obligations.

Anyone who hires another individual, gathers personal information or takes credit cards is potentially affected.

Massachusetts has become one of the most aggressive states in the country regarding protecting personal data by adopting a new data breach law, a new document destruction law and regulations that may represent one of the most far-reaching information security requirements anywhere in the US.

The proposed regulations establish minimum standards for business owners in connection with safeguarding personal information both in paper and electronic formats, and may require significant operational and technological changes for those businesses with custody of personal information, including employer records and customer data.

Businesses have until May 1, 2009 to comply with requirements that go beyond established federal standards. The Massachusetts data-breach law affects individuals, corporations, association, and partnerships. No industry sector or business size that has personal information, as defined, is exempt from these laws or regulations. Thus, a range of businesses, not previously subject to regulation, will have to adhere to these rules and begin constructing or enhancing information security, incident response, data breach and data destruction policies.

All entities maintaining "personal information" (see definition below) for any customer or employee who is a Massachusetts resident are charged with complying with these regulations. Click Here for a full copy of the regulations.

The regulations define "personal information" as:

 a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:

(a) Social Security number;

(b) driver's license number or state-issued identification card number; or

(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident s financial account; provided, however, that  Personal information shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public."

Summary of Regulations

The regulations call for businesses to:

• Develop a security program, designate an employee to manage it, and discipline employee violators;
• Assess internal and external security risks and the effectiveness of current safeguards, upgrading as necessary;
• Train employees regarding security;
• Institute security policies for employees that meet certain specified standards;
• Prevent terminated employees from gaining access to personal information;
• Ensure that service providers are capable of protecting personal information, contractually bind them to do so, and have them certify that they have a compliant written information security program.
• Limit the amount of personal information collected, how long it is kept, and restrict access on a need-to-know basis;
• Identify records containing personal information, or treat all records as if they did;
• Regularly monitor employee access to personal information;
• Review security measures annually, take corrective action when necessary and document action taken in response to security breaches; and
• Restrict physical access to records containing personal information.

There are also additional elements for electronic records:

• Establish user authentication protocols that include control of user IDs and a secure method of assigning passwords (including prohibiting use of vendor-supplied default passwords) or other unique identifiers such as token devices;
• Make sure password location does not compromise the security of the data it protects, restrict access to active users only and block access after multiple unsuccessful attempts;
• Restrict access to personal information on a need-to-know basis;
• Periodic system monitoring for signs of unauthorized use or access;
• Reasonably up-to-date malware protection and virus definitions.

Note: This information is provided to SFABA members as an information service and is not intended as legal advice. Contact your accountant or lawyer for additional information about what you need to do to comply with the law.