Perhaps not surprisingly (conventional wisdom having been very sage, if hopeful, in this particular case), the effective date for the Massachusetts data privacy law has once again been pushed out (the fourth such extension is this; representing a total push of 15 months out of time): from January 1, 2010 to March 1, 2010. (It’s okay to jump up and down now.)
But, wait . . . There’s more. In once again pushing back the effective date for the application of the Massachusetts General Law Chapter 93H omnibus security breach/data privacy/identity theft regime, the Office of Consumer Affairs and Business Regulation has also extensively revised its identity theft regulations, at 201 CMR 17.01, et seq. (You can stop jumping up and down now.)
The announcement of these changes, made via an August 17 press release by the OCABR, takes the form of four official state documents, including said press release, as well as the revised regulations (an available redlined version being particularly helpful), a new set of FAQs on the changes made to the CMRs and a notice of public hearing concerning the revised regulations.
Each of these various documents offer important guidance, even though the regulations represent the only one of the documents having the force of law. So, then . . . Let’s Review:
(That’s right, I am going to attempt a straight review, without much of my rhetorical flourish . . . much.)
The 8/17 Press Release. The press release announces the new effective date (3/1/10), for the revised regulations, as well as the date (9/22/09) for a public hearing on the revised regulations. More broadly, the release seeks to define the new tenor of the law, including the notion of its enforcement. According to the release, the changes to the regulations seek to more favorably balance the interests of consumers with those of the small businesses that must comply with the law. The revised regulations are said to represent a new, risk-based approach, that will provide businesses more flexibility in creating unique WISPs, that will more accurately reflect the realities of their particular business situations, the regulations then becoming “risk-based in implementation, not just enforcement”. The new regulations also represent an acknowledgment that technological feasibility (read (really): how-much-a-business-can-afford-to-pay-for-certain-technology) plays a part in what businesses, especially small businesses, can do to comply with the law. The regulations, then, have become technology-neutral, with a new focus on feasibility. Overall, the regulations are said to now be more consistent with federal law.
The Revised Regulations. The redlined version of the regulations is the best place to get a look at what has been struck, what has stuck and what’s new. Now, these regulations are not set in stone (neither was the last set, of course), especially as changes may be in the offing following the September 22 public hearing; but, this is the most recent edition we have to work with, and is certainly the first look into the government’s state of mind respecting the purposes of these changes.
17.01 In running down the regulation, the first thing you’ll notice is that there has been a subtle shift made to the purposes of the regulation. One purpose is no longer to establish minimum standards for compliance (plus the statutory purposes adopted). Although the regulations do still establish minimum standards for compliance, it is no longer one of the purposes of the regulations. Theoretically, this provides businesses a bit more freedom, and flexibility, in the designing of their information security protocols. The new purposes same as the old purposes, then, are those adopted from the statutory language of chapter 93H, but more directly. The former regulation had changed the statutory language respecting protection against unauthorized access or use that “may result in substantial harm or inconvenience to any consumer” to protection against unauthorized access or use that “creates a substantial risk of identity theft or fraud against . . . residents.” The statutory language has now been adopted directly, so creating, indirectly, a more difficult charge for businesses affected, which, under the terms of the statutory language, have more to look after. The OCABR giveth, and the OCABR taketh away.
The OCABR has also removed the “store/maintain” category of information holders; the “own/license” category remains. Given that no one really had any idea what these categories meant before, or what the difference between them was, there is really no great change, I suppose. And, this point underlines one of the main issues with the prior regulation: that none of these four terms, neither the two groups of terms, were ever defined.
17.02 Thoughtfully, “own/license” has now been defined, albeit so broadly that anyone having “access to [protected] personal information” is an owner/licensor. Or, not so thoughtfully. This is patently ridiculous, of course. Practically, “own/license” can have no meaning when defined so broadly. So, suffice is to say that “anyone” and “everyone” who has access to protected personal information must care for it after the terms of the company WISP. And, certainly, this is the way that smart businesses have approached this issue from the very beginning: that an appropriate WISP must be created and diligently enforced, as applicable to every person employee.
The existing definition for “encrypted” has been tweaked, in keeping with the new approach that the regulation be technology neutral. The requirement for the use of an algorithmic process for encrypting has been removed; the only remaining requirement is that a confidential process or key is required to break whatever encryption method is used, essentially freeing the encryption type choice.
Helpfully, a definition for “service provider” has been added. The “service provider” is a person, broadly defined, who is permitted access to protected personal information by another person, broadly defined, subject to the Massachusetts data privacy law, for the purpose of providing direct provision of services to that another person, broadly defined, subject to the Massachusetts data privacy law. Someone, then, or some company, to whom you permit access to your stored information, so that they may perform a service for you, is a service provider. Fair enough; and, the fact of your granting them permission separates them out from those breachers who access your stored information without permission. Service providers are more like vampires, invited into your home. But, the real question respecting service providers has never really been who they are, or what they, generally, do. The point has always been the determination of what, exactly, businesses must do to vet and/or monitor their service providers. The revised regulations come closer to answering that question. And, we get closer to covering that
17.03 Most of the red ink in the revising of these regulations has been spilt for changes made to this section. The changes appear, then, at first blush, sweeping. But, only one section of changes really represents a dramatic maneuver, and not the one you’d think. The requirements for a WISP have become less stringent, or, at least, the intention was to make them less stringent. The change to the WISP requirements more directly implicates what I have called the “totality of (most of) the circumstances” test for determining what a business is truly capable of pulling off with respect to the protection of personal information that it stores; thus, a WISP must now contain “administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.” And, there are your four circumstances for the consideration of whether or not your WISP is compliant. Of course, those considerations were present in the prior version of the regulations. Practically speaking, then, the only real change here is that the command that the WISP shall be “reasonably consistent with industry standards” has been removed. Aside from that, though, this looks awfully similar to the prior version. And, in the end, it seems that whatever leniency ends up being applied will be supplied via court decisions, with reasoning based on much the same language that has appeared here before.
Following down the page, there is a smart grammatical change at 2(c) as well as the deletion of the requirement to immediately terminate terminated employees’ access to protected records at 2(e). But, beginning at the new section 2(f), is where the largest changes occur. Although section 2(f) contains the term “oversee”, which may end up being an onerous burden for small business, the further descriptive subparts imply that that should not be the case. Now, reasonable steps are required to “select and retain”–inartfully applying a continuing obligation to continually vet/monitor service providers–service providers who can maintain “appropriate security measures” to safeguard protected personal information. Appropriate security measures are those that are consistent with the regulations and with federal requirements. This language now closely tracks the new formulation for the creation and maintenance of a WISP, where the appropriateness of measures likely reflects the sort of business engaged in, and the resources available to that sort of business. The second subpart requires that businesses bind service providers by contract to the implementation and maintenance of appropriate security measures for the protection of personal information. This appears a much more useful directive than the prior, general admonition for the vetting of service providers. Now, there are two steps: (1) verify capability of service provider to protect personal information; (2) sign service provider to contract memorializing their ability and willingness to meet legal requirements for protection of personal information–which seems to reduce or eliminate the need to monitor, breach of service = breach of contract, and a remedy for business and consumer affected, right . . . Now, although there is still little guidance as to what those “reasonable steps” for verification might be, there is now a contract backup, to determine the agreement entered into. Not that I would be disposing of my records respecting my questions to and answers from a service provider representing the reasonable steps I have taken to vet my service providers. There is also, note, an inducement here to engage service providers before the new effective date of the regulations, since contracts entered into before March 1 will be deemed to be in compliance with the regulations, even without the explicit provision for the maintenance of protective security measures. Here’s hoping that service providers will add such terms to their existing contracts, thereby removing the burden from consumers/business owners; but, why they would want to so bind themselves, I do not know, and likely would not do, unless I had to, or if it were easy for me to comply, if I were in their positions.
The revised regulations also feature the removal of other, prior mandates. The former section 2(g), requiring the limiting of the amount of information kept, for how long and for whose eyes, has been eliminated. Likewise, the former section 2(h), requiring the pinpointing of electronic and paper records containing protected personal information and the storage units for same, if all records were not protected under the terms of a WISP, has been dumped. Finally, the requirement to provide a written procedure for the accessing of paper records, as it appeared in the former section 2(i), has been removed.
17.04 Only two changes are made to this section of the regulations, which section covers much of the discrete technology-based requirements. The over-arching revision adds the language “to the extent technically feasible” in describing the application of elements of computer system security to the WISP and to the practice. This is consistent, necessarily emanating from, really, the revisions made to 17.01, which point to a looser interpretation of compliance, one more directly based on the needs and limitations of particular companies. The revision means that every subpart here is now read differently, in light of the particular circumstances of individual businesses. The only other change in this part is the removal of the “to the extent technically feasible” language formerly attached to the (3) encryption subpart, that removal being required to check a created redundancy, since the whole part is now governed by the question of whether what is to be done is or is not technically feasible.
17.05 There is a removal of the store/maintain classification, as there has now been throughout. The effective date of the regulations is moved to March 1, 2010, from January 1, 2010.
The New FAQs. The added Frequently Asked Questions primer may, in fact, have even more subtle goodies in it than the revised regulations. After you’ve read through the revised regulations, these FAQs’ll sort of appear like an Easter egg found about Memorial Day. Take that as you will.
Some of the notions for your attention (that is, if you got the notion):
The revised regulations, conforming to the new risk-based approach to information security, is consistent with federal law, especially the FTC’s Safeguards Rule. Hint: Check the safeguards rule. Looks as though this is a direction for finding out what the precedent might be, before the precedent becomes handed down. The Safeguards Rule also contains third party vendor provisions, which are the model for the third party vendor provisions in the revised CMR regulations.
There is more specific, albeit, still nearly wide-open, “guidance” with respect to the encryption of PDAs: Not all portable devices have to be encrypted. (Makes sense. Not all portable devices will have protected personal information stored on them anyway.) Since there is not a generally accepted encryption method, just do what is “technically feasible” (there’s that term again–but w
hat does it mean?), and if you can’t encrypt your PDA, safeguard the protected personal information on it to the extent possible. (Meaning: If you can’t encrypt, manage the risk. That’s as catchy as “If the glove don’t fit, you must acquit”, no?) This segment ends by stating, rather matter-of-factly, that encryption technology is generally available for laptops. (i.e.–If you have protected personal information on your laptop, encrypt the device.)
The FAQs also provide some specific guidance on the protection of personal information on backup tapes, which has been a cloudy question to this point. There are several interesting points here: Going forward (so starting on March 1, 2010, I would imagine) backup tapes must be encrypted. However, if you are moving old backup tapes from storage, you must encrypt those tapes . . . if it’s technically feasible, of course. If it’s not technically feasible, you should take steps to protect the information contained on the backup tapes (so the backup tapes). The FAQs provide the oddly extreme example of using an armored vehicle and guards for the transfer of a “large” amount of sensitive personal information. Certainly an option for large companies; but, for smaller companies (and there is no further definition of what a “large” amount might be), likely not probable. What is this, Thailand?
A definition of “technically feasible” (= technologically feasible, what with all the context clues) is presented in the FAQs. Why the definition is presented in the FAQs and not within the regulation is sort of beyond me, but it is what it is, I suppose. The definition of “technically feasible”, then, as it appears, is really just a question of reasonableness, that old-timey standard.
Also welcome is some guidance specific to the encryption of email containing personal information, as this has been one or the major areas of concern for those seeking to comply with the regulations. Quite obviously now, under this new regime, you need only encrypt if it is technically feasible. If email encryption generally is not technically feasible, the best practice is not to send unencrypted personal information via email. The alternative suggestion is transfer of and communication relating to protected personal information via the establishment of an encrypted website with username and password access. Of course, that seems rather cumbersome, in some cases. For example, I’d rather just encrypt a PDF or Word document, and call the person I emailing with the password. The secure website is a good idea for collaboration, but not for simple transfer.
If you swipe credit cards and debit cards, and only use swipe technology, but do not have custody or control over the information swiped and batch out the data in accordance with the payment card industry standards, then you are not an owner or licensor of personal information, and that information is not your obligation to protect under the data privacy regime. Apparently, there are special considerations if you “have employees”; and, reference, for that scenario, is made to a prior hypothetical, in which no mention is made of debit or credit card swiping procedures.
To compensate for the removal of language in the original regulations respecting the limiting of the amount of personal information collected, the length of time it is retained for and the limitation to a legitimate purpose for collection, the question of length of retention is addressed now in the FAQs. There is no maximum amount of time that a business can hold onto protected personal information; the timing question is a business decision. However, the suggested best practice is to consider what is essentially the former mandate of the relevant deleted portion of the regulations, the former 17.03(2)(g) reiterated.
With the deletion of the former 17.03(2)(h), you no longer need to make an inventory of your records, to determine which of those records contain protected personal information . . . but you should. Despite the deletion of this section and the above-referenced section, the suggestion here is that, although, those segments of the regulation have now been removed, it is still best practice to make an inventory of your client records and information and to include within your planning for the creation of your WISP concepts concerning the purpose of your maintaining records.
How much employee training do you need to do, with respect to the Massachusetts data privacy regime? “Enough.” Oh, well, that’s helpful. Thank you.
In addition to the definition of “technically feasible”, there also appears in the FAQs another, less explicit definition, this one for “financial account”. “Financial account number” has previously been defined in the statute and remains defined in the regulation; but, a definition for “financial account” seems to be attempted here in order to provide further examples of financial accounts (some of which examples appear in the statute and still appear in the regulation), as well as to provide context for what sort of things hackers or other illegitimate persons can do when they get access to financial accounts. It strikes me as tortuous, and unhelpful, however, to define a financial account in the context of what certain persons can do to other persons once they have gained access to those other persons’ financial accounts.
Incidentally, an insurance policy number is a financial account number (important more for insurance carriers and resellers than lawyers, but still likely account information accessible and maintained by some lawyers, in certain cases), with certain conditions: IF “it grants access to a person’s finances” or IF it “results in an increase of financial burden, or a misappropriation of money, credit or other assets”. Certainly, this second option is just another definition by extrapolation, and as unhelpful to persons attempting to comply with this regulation as the above type definition; the first option–granting access to finances–is a much better definition, and measure.
The attorney-client privilege does not immunize you from compliance with the data privacy regulations–seems rather obvious, but someone must have asked.
Additionally, you must comply with the CMR even if you already comply with HIPAA. These are distinct obligations, even though there may be overlap, in certain places, and at certain points.
With respect to the general monitoring of your safeguards for your maintaining protected personal information, you should adopt a system that is “reasonably likely to reveal unauthorized access or use”. This guidance is generally consistent with the new tenor of the regulations, that businesses, especially smaller businesses, will be given more leeway in applying protocols consistent with the revised regulations and the statute. Likely obviously, standards for monitoring paper records versus electronic records should take into account the differences between those records.
The FAQs end on what is, really, a summation point: that compliance will be judged on a case-by-case basis, with the relevant totality of (most of) the circumstances (business size; business resources; amount of data stored; need for confidentiality) considered.
. . .
So, Where do we stand now? A little further away from the cliff face.
The most important change to the regulations is the leeway now provided to smaller businesses with respect to the actual implementation of technical security safeguards. The regulations are now technology neutral and grounded in the nature of a business for specific application of measures. The third
party provider requirement changes are also significant; however, those are still not entirely clear as to what reasonable steps businesses must take in vetting service providers and as to whether and to what extent there is a continuing monitoring requirement, or if the new mandated contract term weds third party providers to liability. The FAQs are full of the right questions, with most of the right answers; and, some of those answers should have made it into the final version of the regulations. Overall, though, there is more bark than bite here, and the changes to the WISP requirement are not really staggering, or major. We’re getting closer, but not quite there yet. Perhaps another extension is in the offing?
Complaints? Is it all too much for you to take? Attend the public hearing relating to the changes to the regulations on September 22, 2009, and voice your disgruntlement.
(Yes, I know. Disgruntlement is not a word.)