Massachusetts Announces Revisions to Data Security Regulations

Changes Include “Grace Period” Rather Than “Grandfathering” of Third-Party Service Provider Contracts

As highlighted in Bingham’s Privacy & Security Alerts dated October 31, 2008, November 18, 2008, February 18, 2009, and August 19, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) has issued regulations (the “Regulations”), codified at 201 CMR 17.00, requiring that persons who “own or license personal information about a resident of the Commonwealth” comply with strict requirements to safeguard such personal information.

As we have previously reported, the Regulations require ANY business that “receives, stores, maintains, processes, or otherwise has access to ‘personal information’” (i.e., first name or initial and last name, in conjunction with (1) social security number, (2) drivers license or state-issued identification number, or (3) financial account or credit/debit card number) about a resident of Massachusetts to:

• Establish a comprehensive information security program with “up-to-date” firewall protection and identify and assess reasonably foreseeable internal and external risks to all systems that hold personal information of Massachusetts residents;
• Ensure that the safeguards of any information security program be “consistent with” similar safeguards imposed by any applicable state or federal law;
• Encrypt all wirelessly transmitted data and documents containing personal information sent over the Internet or saved on laptops or flash drives; and
• Take “reasonable steps” to select and retain third-party vendors that have the capacity to maintain appropriate security measures for personal information and contractually require such vendors to maintain such safeguards.

After further notice and comment period, on October 30, 2009, the OCABR filed its final amended Regulations for 201 CMR 17.00 with the Secretary of State, to become effective March 1, 2010. Revisions to the final version were relatively minor, and include:

• The persons covered by the Regulations now include those who “store” personal information about Massachusetts residents, in addition to those who “receive, maintain, process, or otherwise have access to” such information.
• The revisions replaced a prior “grandfathering” of third-party contracts executed prior to March 2010 with a two-year grace period. Under the Regulations, contracts entered into with third-party service providers prior to March 1, 2010 will still satisfy the Regulations even if they do not include a contractual requirement to maintain appropriate security safeguards for personal information, but only until March 1, 2012. Parties entering into contracts between now and March 2010 with any third parties who receive, maintain, process, or store personal information should therefore consider whether the contract may extend beyond March 2012, and if so, should include the contractual requirement.

In adopting the final revisions to the Regulations, OCABR did not, however, accept a number of revisions proposed in the comment submissions, including:

• Adding flexibility to the Regulations consistent with the Commerce Clause in order to accommodate the many other federal and state data security regimes and to cover only conduct occurring within Massachusetts’ borders;
• Adding risk-based requirements to the Regulations so that the Regulations do not exceed the grant of authority provided to the OCABR by the Massachusetts legislature;
• Revising the requirement that certain security measures (e.g., encryption) be adopted by businesses “to the extent technically feasible” so that only “reasonable” security measures are required;
• Eliminating any ambiguity regarding whether the Regulations allow private rights of action by adopting language that grants enforcement powers solely to the Attorney General.

Given the OCABR’s determination not to incorporate these suggestions into the final Regulations, it remains to be seen whether any legal challenges to the effectiveness of the Regulations will be lodged. In the meantime, however, businesses with Massachusetts-based employees, customers, investors, or other significant stakeholders should prepare to be fully compliant with the final Regulations by March 1, 2010.