Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
June 7th, 2009
Massachusetts Adopts New Data Privacy and Security Law
Massachusetts has adopted a wide-ranging data security regulation governing all persons and companies maintaining personal information about any Massachusetts resident. The regulation, "Standards for the Protection of Personal Information of Residents of the Commonwealth," takes effect on May 1, 2009 and carries substantial penalties for noncompliance. This essay briefly summarizes the new regulation.
Goals. The regulation seeks to safeguard the personal information of Massachusetts residents by 1) ensuring the security and confidentiality of personal information; 2) protecting against anticipated threats or hazards to the security or integrity of personal information; and 3) protecting against unauthorized access to or use of personal information that would create a substantial risk of identity theft or fraud.
Who is affected? The regulation applies to "all persons that own, license, store, or maintain personal information" about a Massachusetts resident. The regulation defines “person” to include corporations, associations, partnerships, and other legal entities (but excludes Massachusetts government offices and agencies). Because the Internet and other technologies enable anyone to quickly obtain and store personal information without regard to geographical boundaries, the regulation would appear to extend to individuals and companies worldwide.
How does the regulation define "personal information"? The regulation defines "Personal information" as information comprising a Massachusetts resident's first and last name or first initial and last name – plus one or more of the following: (1) Social Security number; (2) driver's license or state-issued identification card number; or (3) financial account number or credit/debit card number (with or without security code, access code, personal identification number, or password). Personal information covered by this regulation may reside in either written or electronic records. Note: There is an exception for personal information that is publicly available.
How to Comply. The Regulation requires covered persons to develop and maintain a "comprehensive, written information security program" ("CWISP"). Each CWISP must not only meet specific computer system security requirements (infra), but also specify policies and procedures governing data access and maintenance, employee training, relationships with outside contractors and other third parties, and more. The following requirements apply to all personal information stored in any format. Specifically, each CWISP must:
- Specify one or more employees in charge of CWISP compliance.
- Set forth procedures for risk assessment – including an evaluation of current safeguards.
- Provide employee training (including training of temporary and contract employees).
- Develop security policies regarding the transfer of personal information off business premises.
- Spell out disciplinary measures.
- Contain rules governing former employees.
- Specify rules and contractual requirements to verify CWISP compliance by third-party service providers with access to personal information – including obtaining "written certification" that such providers are in compliance with the regulation.
- Define what personal information is to be maintained, for how long, and by whom.
- Identify where personal information currently resides (e.g., laptops, memory sticks, DVDs, and other storage media).
- Specify restrictions on physical access to personal information.
- Contain "regular monitoring" procedures to determine CWISP effectiveness and any necessary improvements.
- Establish recordkeeping procedures – including documentation of actions taken related to any breach of data security.
Additional requirements for computer systems. In addition to the policies and procedures above, the regulation requires covered entities that "electronically store[ ] or transmit" personal information to set up a computer security system (including any wireless system). To comply with this section of the regulation, covered entities must take eight additional steps:
- Establish "secure user authentication protocols" – including control of user ID's and passwords.
- Establish "secure access control measures" – including restricting access to persons who need it to perform their job duties.
- Encrypt "all transmitted records" containing personal information "to the extent technically feasible".
- Monitor systems for unauthorized use or access.
- Encrypt "all personal information" residing on laptops or other portable devices such as memory sticks, DVDs, and PDAs.
- Maintain "reasonably up-to-date" firewall protection for systems connected to the Internet.
- Maintain "reasonably up-to-date" system security software (e.g., malware and anti-virus programs).
- Train employees on how to comply with computer security system requirements.
When do the new rules take effect? The general compliance deadline is May 1, 2009, with the following exceptions: 1) the deadline for obtaining “written certification” from third-party providers is January 1, 2010; and 2) the deadline for ensuring encryption of portable devices other than laptops is January 1, 2010.
Penalties. The regulation does not contain a penalty section or provide a private right of action for aggrieved consumers or businesses. However, the Massachusetts attorney general may bring an action to enforce the regulation under Massachusetts General Laws, chapter 93A, section 4. Under this section, the attorney general may seek a temporary restraining order or preliminary or permanent injunctions; judgments for "ascertainable loss;" and civil penalties of not more than $5,000.00 per violation. The attorney general may also recover the "costs of investigation and litigation" including reasonable attorneys' fees. And persons or entities violating an injunction may be subject to a civil penalty of up to $10,000.00 per violation. The regulation notes that compliance “shall be evaluated taking into account (i) the size, scope and type of business … (ii) the amount of resources available … (iii) the amount of stored data, and (iv) the need for security and confidentiality of both consumer and employee information."
Other Technology Law Alerts
Risky Business Just Got Riskier - DOJ Changes Stance on Internet Gambling
Last week the U.S. Department of Justice (DOJ) made waves in the online gambling industry with an Opinion interpreting the Wire Act (18 U.S.C. § 1084). In the Opinion, DOJ's Office of Legal Counsel concluded that most sections of the Wire Act are not limited to sports-related wagers and instead prohibit the use of interstate wires for any bets or wagers. Read more.
January 23 2019
Video Games With Advanced Communications Services Must Now Be Accessible to Players With Disabilities
An important legal waiver recently expired and as a result, video game developers and publishers must now ensure that new and substantially upgraded games comply with the accessibility requirements of the 21st Century Communications and Video Accessibility Act (“CVAA”). Read more.
January 7 2019
Shields On: 9th Circuit Strengthens Legal Defense for Video Game Developers
There's good news for game developers who incorporate real-world elements in their games. On October 20, 2017, the Court of Appeals for the Ninth Circuit affirmed a trial court decision which found that Gran Turismo, a Sony video game, was an expressive work entitled to First Amendment protection Read more.
November 2 2017
