On August 17, 2009, the Office of Consumer Affairs and Business Regulation (“OCABR”) issued a new deadline of March 1, 2010, for businesses that own or license personal information to be in compliance with the Standards for the Protection of Personal Information of Residents of the Commonwealth (“regulations”) established by the OCABR. See generally, 201 C.M.R. 17.00, et seq. These regulations mandate that businesses develop, implement, and maintain a comprehensive written information security program to protect personal information. The amended regulations are discussed below.
Who is Covered?
The regulations apply to all “persons that own or license personal information.” The definition of “owns or licenses” now explicitly focuses on the protection of personal information in “connection with the provision of goods or services or in connection with employment.” This means that employers who collect and maintain personal information, such as that kept in employees’ personnel files, are subject to the data security regulations.
Persons and businesses covered by the data security laws and regulations must have in place a “Comprehensive Information Security Program.” This requirement has been modified to state clearly that the program should be tailored to the size, scope, and type of business. This version clarifies that a small business, with a smaller amount of personal information to protect and more limited resources to protect it will not be held to the exact same standard as a larger corporate entity with a greater amount of personal information to protect and the means to do so.
Third-Party Service Providers
In the initial version of the regulations, persons that own or license personal information were required to obtain a contract with a third-party vendor that stated the vendor’s compliance with the data security regulations. When the OCABR revised the regulations for the first time, this requirement was omitted. Now, the contractual requirement has been reinstated and provides a two-year window for compliance.
Computer System Security Requirements
The computer system security safeguards (including secure access control measures, monitoring the system for unauthorized use, and other secure access measures) have been modified to require them only “to the extent technically feasible.”
(For more information, see Morgan, Brown & Joy’s previous Client Alerts: “Massachusetts Data Security Regulations: Deadline for Compliance Delayed Until January 1, 2010,” dated February 17, 2009 and “Municipalities Must Comply with Portions of Massachusetts Data Security Law,” dated June 26, 2009).
Compliance Will Be Measured on a Case-by-Case Basis
This overview of the data security laws and regulations touches on the minimum required of employers that employ Massachusetts residents. Compliance with these regulations will account for the size, scope, and type of business; the amount of resources available to the business; the amount of stored data to protect; and the need for security and confidentiality of consumer and employee information. See 201 C.M.R. 17.03. Again, the revised deadline for compliance is March 1, 2010. If you have questions or concerns about the data security laws and regulations, please contact your MBJ attorney.
Further Change Anticipated
The Office of Consumer Affairs and Business Regulation will hold a hearing on the revised regulations on September 22, 2009 at 10:00 a.m. The hearing will be held in Room No. 5-6, Second Floor of the Transportation Building, Ten Park Plaza Boston, Massachusetts 02116. In addition to oral testimony, the OCABR will accept written comments up to the close of business day on September 25, 2009. Send such comments to: Attn: Jason Egan, Deputy General Counsel, OCABR, Ten Park Plaza, Suite 5170 or via e-mail at: Jason.Egan@state.ma.us.
In light of the rolled-back deadline and in anticipation of further changes flowing from the public comment period, the MBJ in-house seminar, “Massachusetts Personal Information Law: Are You Ready?” originally scheduled for September 10, 2009 will be rescheduled to November or December 2009. Details on the rescheduled seminar will be announced as the date approaches.
Finally, it is anticipated that these regulations may continue to evolve, both in substance with respect to the date(s) of implementation. Please check our website for updates, or contact your MBJ attorney for the most up-to-date information.
Rachel Muñoz, Esq. is an attorney with Morgan, Brown & Joy, LLP and may be reached at (617) 523-6666 or at firstname.lastname@example.org. Morgan, Brown & Joy, LLP focuses exclusively on representing employers in employment and labor matters.
This publication, which may be considered advertising under the ethical rules of certain jurisdictions, should not be construed as legal advice or a legal opinion on any specific facts or circumstances by Morgan, Brown & Joy, LLP and its attorneys. This newsletter is intended for general information purposes only and you should consult an attorney concerning any specific legal questions you may have.