As early as 2003, when California enacted the first state-law dealing with data breach notification requirements, that state has long been regarded as the most aggressive in the country when it comes to issues of protecting personal information from risks of data breaches and identity theft. Enter Massachusetts with what may be not only the broadest subsequently-enacted data breach notification statute by virtue of its requirement that data actually be encrypted at a specified level (128+-bit encryption), but effective January 1, 2010, all businesses that maintain personal information on Massachusetts residents must affirmatively adopt a security policy that meets minimum standards or risk penalties and enforcement actions.
Under authority of Massachusetts General Laws, Chapter 93H, Section 2, the Massachusetts Office of Consumer Affairs & Business Regulation adopted regulations mandating written security programs and minimum computer security measures. These regulations are codified at 201 C.M.R. 17.00 (http://www.mass.gov/Eoca/docs/idtheft/201CMR17amended.pdf).
Because of how populous Massachusetts is, the regulations encompass a significant number of businesses across the country. The comprehensive written security program must satisfy twelve specific criteria and generally reflects common sense practices that may not be that difficult for many organizations to comply with, particularly if efforts are already underway to implement an identity theft protection program under the Federal Trade Commission’s Red Flag Rules, now scheduled to take effect on November 1, 2009. (http://ftc.gov/opa/2009/07/redflag.shtm)
However, numerous companies will likely be caught off guard by the breadth of this state’s minimum computer system security requirements. In particular, two of the more onerous provisions are the requirements that covered data that is in transmission and covered data stored on laptops and other portable devices be encrypted. Specifically, the elements that must be included for a computer security program to be compliant are:
- Secure user authentication protocols including control of user IDs, secure password selection method, control of data security passwords, restricting access to only active users, and blocking access after multiple unsuccessful attempts;
- Secure access control measures that restrict access to only those who need personal information for job duties, and assign unique IDs plus passwords to each person with computer access;
- Encryption, to the extent technically feasible, of all transmitted records and files containing personal information that will travel across public networks or be transmitted wirelessly;
- Reasonable monitoring of systems for unauthorized access;
- Encryption of all personal information stored on laptops or other portable devices;
- Reasonably up-to-date firewall protection and operating system security patches;
- Reasonably up-to-date versions of system security agent software, including malware protection and virus definitions; and
- Education and training of employees on the proper use of the computer security system and the importance of personal information security.
Massachusetts is undoubtedly a harbinger of the continuing trend that we should continue to expect toward stricter minimum data security standards at both the federal and state levels.