Privacy and Data Security Update, September 23, 2008
As of January 1, 2009, all companies that own, license, store or maintain personal information concerning any Massachusetts resident must take comprehensive measures to protect that information from unauthorized access, disclosure or misuse.
Although the new regulations impose a broad range of requirements, the most pressing compliance issue for many organizations will be the new obligation to encrypt all personal information of Massachusetts residents that is stored on any portable device which includes laptops, flashdrives, Blackberries or cell phones (to the extent feasible) that is transmitted over the Internet or by wireless connections.
Although laptop encryption is becoming more common, frequent reports of losses of laptops containing unencrypted personal data demonstrate that many organizations have not completed the transition to encrypted storage on their portable devices. Similarly, some of the best publicized losses of personal data, including those that resulted in massive identity theft, have occurred because of exploitation of insecure wireless connections.
Even organizations that have no facilities or personnel in Massachusetts should anticipate that they will be subject to the regulations if they maintain personal information of any Massachusetts residents. Personal information is defined as: first name and last name or first initial and last name in combination with Social Security number; driver’s license number or state-issued identification card number; and financial account or credit or debit card number with or without any required security code, access code, personal identification number or password that would permit access to an individual’s financial account.
Besides the new encryption obligation, the regulations require entities that maintain personal information of Massachusetts residents to:
The new regulations also will require all affected organizations to review their relationships with service providers that have access to personal information of Massachusetts residents. Specifically, organizations must:
Also, a Nevada statute, scheduled to take effect on October 1, 2008, will require encryption by entities doing business in that state of all personal information leaving an organization’s system and transmitted over electronic networks. Taken together, the Nevada and Massachusetts enactments go a long way toward moving encryption from a best practice to a nationwide legal obligation. Moreover, the Massachusetts regulations go significantly further than any other state law or regulation by codifying many additional elements which have been best practice with respect to data security up until now.