Following in the finest traditions of legislative “punting”, Massachusetts' General Court (the less than obvious name for the state legislature), passed data security legislation in 2007 and charged the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) to “adopt regulations relative to any person that owns or licenses personal information about a resident of the commonwealth.” Two years, multiple drafts, and several public hearings later, OCABR recently released what it’s calling final data security regulations, which will take effect this coming March. Despite all the angst about a revolution in regulation from both businesses and privacy advocates over the past two years, the final regulations borrow concepts liberally from the FTC, some states’ data security or breach notification laws, and unsurprisingly, federal requirements for information systems security. The regulations mandate both general approaches and specific security practices.
So, what’s in the final regulations, in two sentences? Individuals or businesses, who own, license, store or maintain, personal information about Massachusetts’ residents, have to develop and follow written and comprehensive risk-based information security programs. These programs create a process, carried out by identified people, to evaluate the sensitivity of information and mandate appropriate protections. If this approach sounds familiar, it should be. Ask any IT security professional what the Federal Information Security Management Act (FISMA) requires of federal agencies, and compare the duties imposed by section 17.03 of the regulations to the National Institute of Standards and Technology ("NIST") risk-management framework for designing and implementing information systems security, and you should get the same picture -- implement a process rather than specific technologies, and recognize parties, protections, and the sensitivity of data all vary widely. It is no surprise that OCABR shifted to a risk-based, rather than the one-size-shoe-fits-all approach reflected in earlier drafts of the Massachusetts regulation, following a series of comments from businesses and other interested parties.
What is new, and potentially problematic for some, is that the regulations additionally require specific protections for personal information stored or transmitted electronically. Although many of the section 17.04 protections are fairly standard (for example, secure access controls and user authentication procedures), some go further, such as the requirement to encrypt personal information transmitted across public or wireless networks, or stored on laptops and other portable devices. In this, Massachusetts goes beyond other states which have passed laws requiring encryption of social security numbers before transmission over the Internet, and more recently encryption of any personal information before transmission outside a business’s own secure system. Any laptop or portable device containing personal information about Massachusetts residents will have to be encrypted, not just protected by a password.
The good news? Encryption and other specific computer security measures are only required “to the extent technically feasible” by the regulations. The bad? The regulations don’t define what “technically feasible” means. OCABR suggests in a FAQ something is technically feasible “if there is a reasonable means through technology to accomplish a required result.” The next question -- if something is technically possible but economically prohibitive under the circumstances is it a “reasonable means through technology” -- is somewhat of an open question. Although OCABR staff that drafted the regulation willingly admit they borrowed liberally from FTC concepts of reasonable security which look at many surrounding circumstances including the size of a company, the sensitivity of information involved, and possibly the cost of a particular practice, OCABR’s FAQ intimates economic considerations don’t factor into whether a practice is technically feasible. While it is probable that businesses may seek additional clarification, at least on this point, any person who has not already come into compliance now has one more chance to meet the compliance deadline. Again.