What Does the Regulation Require?

Every business that “owns or licenses personal information” about a Massachusetts resident must “develop, implement, and maintain” a comprehensive written information security program (WISP).  “Owns or licenses” is defined as “receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.”  “Personal information” (PI) means first name (or initial) and last name combined with a Social Security number, driver’s license or state-issued ID card number, or financial account or credit or debit card number (with or without any required password, security or access code, or personal identification number).

The WISP must contain administrative, technical and physical safeguards for PI that are “appropriate to (a) the size, scope and type of business . . .; (b) the amount of resources available . . .; (c) the amount of stored data; and (d) the need for security and confidentiality” of the PI. 

WISP – Required Elements

The elements required in a WISP include:

• Designating one or more employees to maintain the program
• Identifying and assessing foreseeable internal and external risks to the security, confidentiality or integrity of records containing PI
• Evaluating and improving safeguards for limiting risks, including employee training and compliance and means for detecting and preventing security failures
• Developing security policies regarding storage, access and transportation of records containing PI outside of business premises
• Imposing disciplinary measures for violations of security rules
• Preventing terminated employees from accessing records containing PI
• Imposing restrictions on physical access to records containing PI
• Regular monitoring of the operation of the WISP
• Reviewing security measures annually or whenever a material change in business practices implicates the security or integrity of records containing PI
• Documenting responsive actions taken in connection with any security breach incident and conducting post-incident reviews
• Selecting service providers capable of maintaining appropriate measures to protect PI
• Contractually requiring service providers to maintain appropriate security measures (every service provider contract entered into before March 1, 2010 is deemed to comply)

Computer System Requirements

For businesses that electronically store or transmit personal information, the WISP must also include the establishment and maintenance of a computer security system (including any wireless system) that, “at a minimum, and to the extent technically feasible,” contains:

• Secure user authentication protocols, including control of user IDs, a “reasonably secure” method of assigning and selecting passwords (or use of unique identifier technologies), control of data security passwords, restricting access to active users, and blocking access after multiple unsuccessful attempts
• Secure access control measures that restrict access to PI to only those who need such information to perform their jobs and that assign unique identifications plus passwords that are designed to maintain the security of access controls
• Encryption of all transmitted records and files that contain PI and travel across public networks
• Encryption of all PI transmitted wirelessly or stored on laptops or other portable devices
• Reasonable monitoring of systems for unauthorized use of or access to PI
• For files containing PI on a system connected to the Internet, reasonably up-to-date firewall protection and operating system security patches designed to maintain the integrity of the PI
• Reasonably up-to-date versions of system security agent software, including malware protection and patches and virus definitions
• Education and training of employees on the proper use of the computer security system and the importance of PI security

What is the Penalty for Non-Compliance?

Violators may be subject to a $5,000 civil penalty for each violation. How violations will be counted for purposes of the penalty is unclear. If violations are counted on a per-record basis, businesses with thousands of records containing PI of Massachusetts residents could potentially face fines of millions of dollars.

How Can My Business Comply?

The revised, final regulation is not quite as demanding as earlier versions, but it is still a tough regulation that may require businesses to revise existing – or create new – WISPs. The regulation is also indicative of the direction in which state and federal information security laws are heading. Because of this, even businesses not subject to the regulation may want to consider creating and implementing WISPs that comply with the standards of the Massachusetts regulation.
 

Idea from Thomas F. Goldman

About ‘Case in Point’ – ‘Case in Point’ is a weekly cartoon series, created by CaseCentral Corporation, that illustrates the lighter side of eDiscovery. ‘Case in Point’ also runs a contest inviting anyone from the expansive eDiscovery realm – lawyers, IT staff, judges, service providers, paralegals, writers and consultants – to submit their own humorous experience or a scenario they find particularly funny. Participants may submit cartoon ideas online at http://www.casecentral.com/caseinpoint/idea for consideration. Readers who see their idea turned into a cartoon will receive a copy of the final cartoon signed by the artist, Tom Fishburne.

Permission to reproduce ‘Case in Point’ cartoons is granted on the conditions that any cartoon used is reproduced “as is” and that the re-use is not for purposes of resale or direct compensation. Please provide CaseCentral with a copy of any such use by sending an email with attached sample to: caseinpoint@casecentral.com.

Case in Point mailing list – Visit www.casecentral.com/caseinpoint/mailsignup/ to have Case in Point sent weekly to your eMail. To opt out, send an email titled “UNSUBSCRIBE” to caseinpoint@casecentral.com.

Case in Point Resources – Get the ‘Case in Point’ one year anniversary screen saver: www.casecentral.com/case-in-point/resources/ or ‘Case in Point’ mobile for your iPhone or Blackberry: www.casecentral.com/case-in-point/mobile/.

Case in Point Café - Visit http://www.cafepress.com/CaseInPoint to turn your favorite cartoon into a keepsake or gift for that special eDiscovery somebody.

About the cartoonist – CaseCentral is pleased to feature Tom Fishburne as the cartoonist behind ‘Case in Point.’ See Tom’s bio here: http://www.tomfishburne.com/tomfishburne/bio.html

About CaseCentral – Case in Point is sponsored by CaseCentral. Visit www.casecentral.com to learn more about CaseCentral’s eDiscovery products and services.

To deliver an expanding range of e-discovery resources, EDRM is pleased to re-publish the audio materials offered by e-Discovery Zone Audiocasts and ESIBytes.

e-Discovery Zone Audiocasts

Hosted by Tom O’Connor, Director of the Gulf Coast Legal Technology Center, Browning Marean, Senior Counsel at DLA Piper, and TechLaw Solutions,e-Discovery Zone Audiocasts features interviews of a variety of guests, including industry experts, counsel, attorneys and judges.

To go directly to TechLaw’s e-Discovery Zone Audiocasts page, click here

EDRM is republishing the e-Discovery Zone Audiocasts at edrm.net/2240

ESIBytes Podcasts

Powered by JurInnov and hosted by Karl Schieneman, ESIBytesTM showcases the opinions of electronic discovery experts via downloadable podcasts.

For a list of scheduled podcasts, click here

To go directly to the ESIBytes site, click here

EDRM is republishing the ESIBytes Podcasts at edrm.net/4109