Final regulations (pdf) were filed by the Massachusetts Office of Consumer Affairs and Business (“OCABR”) on November 4, 2009 and the regulations became officially effective on March 1, 2010. Under the new regulation, any person or business that owns or licenses “personal information” of a Massachusetts resident, including those who “receive, store, maintain, process, or otherwise access [certain limited] personal information in connection with the provision of goods of services or in connection with employment” must have a data security program in place.
The type of information that triggers the law is limited to first and last name with one or more of the following: (1) Social Security number; (2) driver’s license or state-issued ID card number; or (3) financial account or credit card number.
The regulations requires that every person or business that has the “personal information” of a MA resident develop, implement and maintain a “comprehensive information security program (“CISP”) that is written in one or more readily accessible parts” by March 1, 2010. Companies will need to review and update any existing privacy and data protection policies to be compliant with the regulations and adopt in writing a CISP. Employees must also be trained with respect to such policies. The information security program must be reasonably consistent with industry standards and must contain administrative, technical, and physical safeguards to protect the personal information of Massachusetts residents.
We have talked frequently of the word “reasonable” in class, specifically as a legal “term of art.” In other words, the current industry standards for personal information protection/information security could determine the reasonable precautions a defendant should take to protect personal data. “Industry custom” is still accepted in courts, and still used in cases such as medical malpractice. A company can avoid or reduce its liability exposure for security breaches of any kind, if it maintains a proactive IT staff and aggressively gathers information about developing technology. The new MA regulation is designed to speed that process along to companies that deal directly with MA residents personal information. We will talk about this more as the semester progresses.