New and Extensive Massachusetts Data Protection Law
By Craig Foster and Vicki Ballou
Do you have clients who are Massachusetts residents? If so, you should know that, beginning March 1, 2010, a new Massachusetts regulation will require that you implement a comprehensive information security program to protect the personal data of such clients. Noncompliance may expose your company to injunctions, fines and liability for costs associated with enforcement litigation. The regulation is extensive as to the data and entities covered and the requirements imposed.
Covered Personal Data. The personal data covered by this regulation is any nonpublic data, however obtained, containing a Massachusetts resident's:
first name (or first initial) and last name; and
either (a) Social Security Number; (b) driver's license number or state-issued identification card number; or (c) financial account number or credit/debit card number, even without a security code, PIN or password.
Covered Entities. The regulation applies to all persons who own, license, receive, store, maintain, process or otherwise have access to the data described above, either in paper or electronic form, about a Massachusetts resident. If you have a Massachusetts client, you almost certainly have that client's specified personal data in your files. This law will apply to you even if you have only one Massachusetts client and, therefore, are not required to register or make notice filings in that state.
Requirements. A company subject to the regulation must implement a comprehensive information security program consistent with industry standards. While the specific measures necessary to comply with the regulation will vary based on the nature of the business and the type of data involved, programs must generally have: (a) employees designated to maintain the program; (b) ongoing training; (c) program monitoring; (d) various preventive measures; and (e) disciplinary measures for violations. In addition, covered entities must take reasonable steps to verify that third-party service providers with access to personal data also apply protective security measures.
Similar Laws in Oregon and Washington. Oregon has a similar law, the Oregon Consumer Identity Theft Protection Act which was adopted in 2007 and amended in 2009. However, if you are in compliance with the privacy requirements of the Gramm-Leach-Bliley Act (as is required of all investment advisers), the Oregon law does not apply to you, except to the extent you have a breach of security relating to your employees' personal information. Washington's personal data protection laws do not explicitly require the implementation of a security system, but they do require that you disclose any security breach that compromises the security, confidentiality or integrity of personal information maintained by your business.
Red Flag Rules. The Federal Trade Commission's "Red Flag Rules" pick up where state and federal data security rules end. The Red Flag Rules require companies that allow their clients to pay later for the company's goods or services and companies that hold consumer "transaction accounts," including mutual funds that offer accounts with check writing or debit card privileges, to adopt written programs designed to detect, prevent and mitigate identify theft. Those rules will be subject of a separate client alert.