Protecting Personal Information

It’s referred to as ‘201 CMR 17.’ It’s better known as the state’s tough new law regarding the protection of personal information, and business owners have considerable work to do if they and their employees are to be ready by the deadline for compliance with this legislation — Jan. 1, 2010.

The law, passed into law in August 2007, requires that all businesses and individuals that own, license, store, and maintain ‘personal information’ — that’s now a legal term with its own definition — have in place a comprehensive plan to protect that information and help prevent security breaches like the one at TJX Co. in 2006 that led to the theft of more than 45 million customer credit- and debit-card numbers and prompted calls for such legislation.

Since nearly every enterprise in the Commonwealth falls into this category, the law will have a significant and potentially costly impact on the business community and individual companies. And it will have teeth, in the form of penalties that could reach $5,000 for each violation, in addition to other potential liabilities for investigative and restitution costs.

This is legislation that will make nearly every business owner somewhat painfully familiar with the acronym WISP, or ‘written information security program,’ which all businesses must have to be in compliance, and which must be comprehensive enough to meet a 32-point checklist promulgated by the state relative to maintaining the personal information and electronic records of customers and clients.

The original deadline to comply with 201 CMR 17 was last Jan. 1, but the timeline was extended to May 1 amid protests from the business community and calls for more time to comply, and was extended again until next Jan. 1. There is no talk of any further extensions, so the time to act is now.

What follows is a primer on the new regulations and a comprehensive assessment of what business owners and managers must do to be ready for, and in compliance with, the new law.

By the Book

Perhaps the place to start is with that definition of personal information (PI), as set forth in the new regulations: In this case, it refers to any Massachusetts resident’s last name and first name and any of the following: a Social Security number, a driver’s license number, a financial account number (credit card or debit card), or an access code that would allow one to access that person’s financial information.

With that definition, and given the profound growth in electronic financial transactions, it’s clear to see the broad impact of the measure. First, it impacts every business that employs Massachusetts residents, and it involves each and every service provider and professional, from accountants and attorneys to retail stores and physicians’ offices — virtually every conceivable business or entity that maintains even a bare minimum of financial or personal information regarding its customers.

To be in compliance with the new law, all applicable businesses must have in place a comprehensive WISP. Such plans dictate that businesses owners must:

Include administrative, technical, and physical safeguards for personal information protection;

Designate employees to maintain and supervise the comprehensive security program;

Identify the paper, electronic, and other records and electronic storage systems (e.g. computers) that contain personal information;

Identify and evaluate foreseeable internal and external risks to paper and electronic records containing personal information;

Include regular, ongoing employee training and procedures for monitoring employee compliance, including disciplinary measures for violators;

Determine procedures for immediately blocking terminated employees’ access to company records;

Thoroughly analyze the capacity of third-party service providers (payroll, accounting, legal) to comply with the requirements of this section, including requiring the certification of such third-party service providers and an analysis of the location where physical records are stored, including assuring security and ongoing monitoring to ensure and prevent unauthorized access to such records;

Conduct an annual review of security measures; and

Establish significant and specific regulations requiring the storage of electronic records, including the use and nature of passwords and user identifications, the encryptions of personal information records and files transmitted in an E-mail or wireless capacity, the encryption of laptops and other portable devices, up-to-date firewall protection, system security agent software and virus protection, and employee training regarding such computer security.

There can be no question that the aforementioned laundry list of requirements will impose some financial obligations on the impacted individuals and businesses.

In fact, as the Commonwealth recently acknowledged in its “fiscal effect and small-business impact statement” relative to the new legal requirements, businesses that will be affected “may be subject to increased costs related to establishing and/or maintaining the comprehensive, written information security program” that is required by the new regulations.

Information Is Power

Meanwhile, the new law will change day-to-day operations at most every business because of the way it will change the way customer data is handled. Business owners should expect to confront displeasure and opposition from employees who will be forced to deal with encrypted devices and jump through extra hoops within their daily business routines.

The new regulation will affect anyone who must move sensitive customer information via an electronic device, such as a USB flash drive, laptop, or PDA (Blackberry, iPhone, etc.), including both office workers and those who work from home.

How will workers cope with these changes in the protection of personal client information? For starters, they will need to be trained in how to handle PI and adjust to changes initiated by new password policies and E-mail encryption. Depending upon the sensitivity of your company’s customer data, the new password policy and encryption software have the potential to significantly impact the way your employees conduct business.

Encrypting E-mail is one of the many methods of PI protection. Some solutions will force 100% compliance, and others will leave more discretion in the hands of employees, so business owners and managers must balance your company’s need for security against employee inconvenience. The varying levels of E-mail encryption available include:

Software that scans all E-mails and attachments, then automatically determines if PI is necessary and encrypts the E-mail before sending it;

Manual encryption of E-mail, giving the worker the ability to determine which E-mails need to be encrypted before sending; and

Encryption of all E-mail, regardless of whether it contains any PI.

Allowing the decision whether to encrypt to be made on a case-by-case basis by employees may not be in the best interest for your company. Most workers will probably not want the responsibility for making this decision, so one of the remaining two options may be preferable. It may also be in the best interest of your company to remove the risk for error from your employees because most breaches of PI are the result of employee error or improper handling of information.

Another major risk to your customers’ PI security is your employees’ portable devices. Compliance with the new law will require that data encryption be used on any portable device that transfers sensitive PI. All company laptops and USB thumb drives will require encryption software to prevent any information from being accessed if the device is lost or stolen. One suggestion to start with is TruCrypt (www.truecrypt.org) to protect your company’s laptops. This is free encryption software.

Another popular communication tool that is heavily utilized in today’s business world is the PDA. This device facilitates the transfer of personal data between clients and your employees, so protecting PI on handhelds is an area of concern.

Those businesses that use PDAs for E-mail purposes and either transfer PI or synch with a server that can access PI will have to enforce the use of passwords on all handheld devices used by their employees, whether personally or company-owned. Handhelds without passwords are vulnerable to information theft because the data on the device is not encrypted. This means that the information sent via unencrypted E-mail or text message to a handheld device such as a Blackberry, Palm Pilot, or iPhone is not protected, and anyone who could gain physical control of the handheld device would have access to the data.

Passwords on handheld devices won’t be the only change users will have to face. Part of the new regulation mandates more-stringent password policies and forces the use of stronger passwords and frequent password changes. This new password policy may be an inconvenience to workers who are not used to being so security-conscious.

It is worth noting that the modifications made by the state Office of Consumer Affairs and Business Regulation resulting in the extended Jan. 1, 2010 compliance date additionally softened the requirements imposed upon impacted businesses to verify compliance of third-party service provides (e.g. payroll companies) with the OCABR regulations.

Rather than contractually requiring such providers to maintain the privacy safeguards, when the regulations take effect, businesses will need only to take “all reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided” pursuant to the regulations.

As significant and onerous as these obligations may be, it is equally important for individuals and businesses storing personal information to understand fully the potential penalties for violation of the provisions of the new regulations — those fines of up to $5,000 — and the fact that compliance of the new regulations will fall upon the Office of the Attorney General pursuant to Chapter 93A, the Mass. Consumer Protection Statute, which provides for double and treble damages in the case of certain violations.

There can be no question that,

with the new privacy regulations, Massachusetts is ushering in a new era of strict regulatory compliance relative to how businesses store personal information regarding its customers. Only with careful and prudent analysis of the new requirements will companies be able to ensure compliance and, perhaps more importantly, prevent a future instance of a TJX-like data breach. n

Jeffrey Fialky is an associate with the regional law firm Bacon Wilson, P.C, specializing in business, corporate, municipal, and real-estate law; (413) 781-0560;[email protected]. John D. Chavis is the systems administrator at Bacon Wilson, P.C. He is responsible for all hardware and software applications and implementing solutions that comply with the new personal information security regulations;baconwilson.com.