Massachusetts’ new regulatory Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 CMR 17:00 et seq. take effect March 1, 2010. The regulations, which are among the most sweeping in the nation, require all businesses that own, license, maintain, or store personal information of a Massachusetts resident, including investment advisers, private fund managers, and other financial services providers, to safeguard that personal information. The Standards apply to personal information maintained on paper, as well as electronic information stored on a computer system or a portable device, transmitted across a public network, or maintained on a system connected to the Internet.

                                                            Reporting Obligations
Businesses that own or license the personal information of a Massachusetts resident are statutorily required to provide notice of any breach of security or unauthorized acquisition or use of such personal information to the Massachusetts Attorney General, the Massachusetts Director of Consumer Affairs and Business Regulation, and to any affected Massachusetts resident as soon as the business knows or has reason to know of such breach. 

                                                     Definition of “Personal Information”
Under the Standards, personal information consists of the first and last name, or first initial and last name of a Massachusetts resident, together with any of the following pieces of information:

1. Social security number;
2. Driver’s license number or state issued identification card number; or
3. Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account..

Implementation and Maintenance of Comprehensive Information Security Program Required
Businesses that own or license personal information about a Massachusetts resident are required to ensure the security and confidentiality of the information, and protect against anticipated threats, hazards, or unauthorized access to or use of the personal information that may result in substantial harm or inconvenience to any consumer.

To comply, businesses must adopt comprehensive, risk-based, information security programs to protect consumer and employee information. Such programs must provide for, among other requirements:

• Ongoing training;
• Implementation and monitoring of compliance with protective policies and procedures;
• Means for detecting and preventing system failures;
• Oversight of third-party service providers;
• Use of computer access controls and encryption of electronically transmitted information; and
• Documentation of responsive actions to any breaches with mandatory post-incident review and change to business practices necessary to protect the personal information of Massachusetts’ residents.   

                                                           Potential Liability
Businesses that fail to comply with the Standards face potential liability from suits initiated by the Massachusetts Attorney General for injunctive relief and penalties, private suits, or class actions by Massachusetts residents who claim to have been substantially harmed or simply inconvenienced by a data breach. Most courts that have heard claims for data breaches have dismissed those claims when the plaintiff cannot prove any harm beyond an increased risk of identity theft, reasoning that no actual damage was incurred. The Massachusetts Consumer Protection Act, M.G.L. ch. 93A, differs from most state laws and provides for an award of statutory damages as an alternative to actual damages. A violation of the Standards can be claimed as a consumer protection violation. Therefore, companies risk facing damage awards and awards of attorneys’ fees in Massachusetts for failing to properly prepare for, or respond to, a data breach. This risk exists despite the fact that such damage claims may not be recognized in other jurisdictions.

                                                         Scope of Coverage
The Standards are not drafted for any one industry, but rather govern all entities that own or lease personal information or that maintain or store data for others. Although a significant data breach affecting a Massachusetts retail company (TJX) spurred the creation and adoption of the Standards, any company with personal information of a Massachusetts resident must comply. The enabling statute provides some flexibility by requiring that the Standards take into account the size, scope and type of business, amount of resources available, amount of data stored, and need for security and confidentiality of information. However, a company’s specific obligations will vary on a case-by-case basis.

                                                     Business-to-Business Provisions
The Massachusetts Consumer Protection Act includes a section that governs conduct between businesses. Each business must independently comply with the Standards. Companies using outside data processors may not be able to solely rely on their vendors to insulate them from liability for noncompliance. Companies that use outside vendors for information technology or data processing services should ensure their vendors comply with the Standards.

                                           Assessing Your Regulatory and Compliance Needs
To the extent you maintain the personal information of Massachusetts residents or employees, feel free to contact the attorneys listed on this Client Alert to determine how the Massachusetts Standards could affect your business.

FULL/TEXT PRINTABLE VERSION