The Law at Work: New data security regulations

BY BETH O’NEAL, ESQ.

A company laptop computer was recently stolen during an employee’s business trip abroad. Fortunately, this employee did not have any company information saved on the hard drive, and all the company’s records are stored on our main server, which restricts access by requiring a password. However, we immediately informed all of our employees of the incident and warned them to ensure that no sensitive information is to be stored on laptop hard drives. Should we put any other procedures in place, as many of our employees have access to customer credit card numbers?

Preventing identity theft and security breaches must be a primary objective of all businesses as the custodians of records containing employee and customer identifying information. Although your question indicates you are certain there has been no disclosure of or access to company information, now is the time to ensure that your company will be in full compliance with the Massachusetts data security laws by the deadline of March 1, 2010. The Massachusetts Office of Consumer Affairs and Business Regulation (the OCABR) has promulgated regulations related to the Massachusetts data security laws that aim to ensure and protect the security and confidentiality of personal information of residents. Under these regulations, all those engaged in commerce must, at minimum, develop, implement, maintain and monitor a written information security policy for records containing personal information.

Personal information includes a Massachusetts resident’s first and last name or first initial and last name together with one or more of the following:

(a) Social Security number;
(b) driver’s license or state issued identification card number; or
(c) financial account, credit card or debit card number.

Because employers of all sizes are required to maintain and store personal information for immigration verification, payroll and benefit purposes, all employers of residents of the commonwealth are subject to the regulations. In fact, even a sole proprietorship without any employees is subject to the regulations if it collects and retains the personal information of customers who are Massachusetts residents.

The original OCABR regulations, released in February 2009, mandated that all businesses adopt and comply with a written security program with very specific requirements, but after small businesses voiced concerns about the impact of the regulations, the OCABR made revisions. These new regulations, released in August 2009, make clear that the approach to data security is a risk-based approach. Under this risk-based approach, a business, in developing a written security program, should take into account its size, nature of its business, the kinds of records it maintains, the risk of identity theft posed by its operations and the amount of resources of the business.

A few of the required provisions for a comprehensive information security policy include:

1. A designated employee to maintain the program;
2. Identification and assessment of reasonably foreseeable risks to the security, confidentiality and/or integrity of paper, electronic or other records;
3. Ongoing training, review of employee compliance with the policies and procedures and means for detecting and preventing system failures;
4. Provisions related to employees’ access and transportation of records containing personal information outside of the business premises (e.g., the laptop); and
5. Disciplinary measures for violations of the policy.

Employers that store or transmit personal information electronically are also required to establish and maintain a security system to ensure that data is protected. This includes restricting access to data and encrypting records that are stored on laptops or portable devices.

If employers have not yet done so, they should begin drafting their written security policies and ensuring that their system requirements are compliant so they are prepared for the March 1, 2010, deadline. For more information regarding the requirements for small businesses, visit the OCABR Web site, which includes the regulations, frequently asked questions and a compliance checklist.

In addition, employers have obligations in the event of a breach of security. Based on your question, you indicate that no employee or customer information could be accessed or obtained when the laptop computer was taken; however, if you knew or had reason to know of a security breach or that personal information was acquired or used by an unauthorized person or for an unauthorized purpose, you would be required to notify the Attorney General and OCABR. ■

Beth O’Neal, Esq., is a partner in the Boston law firm of Masterman, Culbert & Tully LLP. Send questions to meo@mctlaw.com.

Published in Cape & Plymouth Business February 2010