NEW LAW ON INFORMATION PROTECTION IN MASSACHUSETTS
By Joseph W. Worthen, II, partner at Rudolph Friedmann LLP
Be careful what you wish for. Most people would say that protection against the misuse or improper dissemination of personal information (social security, credit card or bank account numbers, for example), is a good thing. If you feel that way, (and who does not?), then you would think that Massachusetts’ relatively new legislation designed to do just that would be a welcome addition to the panoply of legislative protections. Read on – you may change your mind.
Massachusetts has passed two pieces of legislation that attempt to address, and protect, the security of personal information, but the cost of compliance, and the penalties for failure to comply with the statute, will prove to be an unwelcome burden to most businesses. These two seemingly simple acts are: M.G.L. ch. 93 H entitled Security Breaches, and M.G.L. ch. 93 I entitledDispositions and Destruction of Records. If you operate any kind of business endeavor in Massachusetts, or if you have at least one employee (full time or part time) who is a resident of Massachusetts, here is how these laws will (not might, but will) affect you.
Just What Is “Personal Information”?
Personal Information (“PI”) is defined in both ch. 93 H & ch. 93 I as a resident’s first name (or initial) and last name “in combination with” any one or more of the following: (1) Social Security Number; or (2) Driver’s License number or Massachusetts identification card number; or (3) financial account number, credit card number or debit card number that would permit access to a resident’s financial account. NOTE: For the purposes of dispositions and destruction of records, ch. 93 I adds a fourth item, (4) a biometric indicator (think thumbprint for a thumbprint reader).
What Is a “Record”–201 CMR 17:00
A “record” is defined in the lengthy regulations that contain the true meat of these new statutes. The Code of Massachusetts Regulations (CMR), section 17, defines a record to include any material upon which written, drawn, spoken, visual or electromagnetic information or images are recorded or preserved. This could include a piece of paper, a computer, a CD, a flash drive, a PDA, a laptop–in short, anything from which data can be retrieved.
Here are a few examples of what would constitute a record containing “personal information” under the law: (1) a W-9 for an employee; (2) a personal check with the account holder’s name on it; (3) a bank statement.
To Whom Does the Law Apply?
Before you go thinking that this law is just for businesses and “doesn’t apply to me”, consider the wording of the statute. This law applies across the board to every natural person, corporation, association, partnership or other legal entity. The law applies to each and every one of us. You do not have to be a business, or even be “in business” in the strict sense, for this law to apply to you. If, for example, you have a nanny, and if you have the nanny’s name and social security number, or name and checking account number, you have PI, and the law applies as equally to you as to businesses such as Staples and Whole Foods.
How to Destroy or Dispose of Records That Contain Personal Information–ch. 93 I
This statue is in effect now, and it establishes minimum standards for the disposal of records containing PI. When disposing of PI, paper files must be redacted, burned, pulverized or shredded, and electronic and other non-paper media must be destroyed or erased, so that personal data cannot practicably be read or reconstructed. You are exposed to liability if you simply throw away a paper file containing PI, and if that PI is in electronic form, it is not sufficient to “delete” the file. Unless you are an accomplished information techie, you will need the aid and advice of an IT specialist to be certain that whatever software you use to delete PI is 100% effective in making the deleted data unrecoverable.
Penalties. The penalties for violating the provisions of this chapter include civil fines of up to $100 per data subject affected. The total fine shall not exceed $50,000 for each instance of improper disposal. In addition, the Attorney General may bring an action under M.G.L. ch. 93 A to remedy violations and “for other relief that may be appropriate”.
Security Breaches–What You Must Do to Protect Records Containing Personal Information–ch. 93 H and 201 CMR � 17.00 et seq.
This is where the information protection statue gets truly complex and burdensome. In principal this law is very simple. It is a reporting statute that provides that if you maintain or store PI, and if there is an unauthorized acquisition or use of unencrypted PI (a Security Breach), you must notify the owner of the PI regarding the nature of the Security Breach. In certain situations notice must also be given to both the Attorney General and the Director of Consumer Affairs and Business Regulation. The regulations promulgated pursuant to this statute, however, require much, much more, and are set out in full in 201 CMR 17.00 et seq.
Everyone who maintains, stores, owns or licenses PI must adopt a written information security plan (a “WISP”). This is a written plan for implementing safeguards to prevent a Security Breach, and the WISP must be adopted and in effect by January 1, 2010. Sounds simple. But the regulations go into great detail regarding the minimum required elements of your WISP.
General WISP minimum required elements are:
1. Designate a responsible person.
2. Identify and assess risks to security, including:
a. Ongoing employee training
b. Assuring employee compliance with policies.
c. Means for detecting and preventing security system failures.
3. Security policies, including access to and transport of records.
4. Disciplinary measures for violation of policies.
5. Block terminated employees’ access.
6. Verify the security provided by others to whom you send PI.
7. Internal limits on collecting, retaining, and accessing PI.
8. Identify paper and electronic records that may contain PI.
9. Restrict physical access to PI, and provide locked storage.
10. Regular monitoring.
11. Annual review of the scope of security measures.
12. Document responsive action to security breaches.
Now take a breath–here are the minimum elements of the computer systems security WISP:
1. Secure user authentication protocols. This is password control.
2. Restrict access to a “need to know” basis.
3. Encrypt PI that will travel over public networks.
4. Monitor for unauthorized use.
5. Encrypt all PI stored on laptops or other portable devices.
6. Reasonably up-to-date firewall protection.
7. Reasonably up-to-date malware and virus protection.
8. Education and training of employees.
The parting shot in the regulations is 201 CMR §17.05:
Every person who owns, licenses, stores or maintains personal information about a resident of the Commonwealth of Massachusetts shall be in full compliance with 201 CMR 17.00 on or before January 1, 2010.
My advice is, do not delay. Seek professional assistance if you need it, but start WISPering now.
Penalties. This statute does not have the specific civil penalties that accompany the data destruction statute, but this statute does provide that the Attorney General may bring an action under M.G.L. ch. 93 A to remedy violations and “for other relief that may be appropriate”.
Resources. There are many resources available to assist you in the arduous task of complying with these laws. For further information on, and assistance in compliance with these laws, you may find the information several websites or call us.
E-MAILS CAN MODIFY CONTRACTS
We send e-mails so casually and with such informality, even in the business environment, that it is easy to forget that they may carry significant legal consequences. It is only prudent to bear in mind that even e-mails written in the most conversational style may create legal obligations no less binding than a more conventional written agreement laden with legalese and signed with all formalities.
If a business wants to entirely avoid the possibility of having e-mails treated as binding amendments to existing contracts, the best approach is to be as clear and direct as possible on the subject by including language in contracts to the effect that e-mails do not count as signed writings for purposes of any contract amendments.
A recent cautionary case on point involved an individual who sold his public relations firm to a global communications company. The deal included an employment contract under which the seller was to continue as chairman and CEO of the new company for three years. Soon, the new company was losing money and the seller was presented with the option of either leaving or taking on new responsibilities.
E-mail then entered the picture when an employee of the communications company sent yet another option to the seller in an e-mail that spelled out how the seller would allocate his time. The seller replied by e-mail that he enthusiastically accepted that proposal. For his part, the representative of the communications company replied by e-mail that he was thrilled with the seller’s decision to accept the new offer. In both e-mails the sender had typed his name after the message.
The seller later had a change of heart and sued to enforce the terms of the original employment agreement. An appellate court ruled against him on the ground that the exchange of e-mails on the new employment proposal constituted a binding amendment to the employment agreement. This was so even though the original agreement required that any changes had to be in the form of signed writings.
The court reasoned that the e-mails effectively were signed writings because the parties’ names appeared at the end of the e-mails, signifying an intent to authenticate the preceding contents of the messages. Likewise, the e-mails also were signed writings for purposes of the Statute of Frauds, which requires certain contracts to be in writing in order to be enforceable. In short, when the seller and his e-mail correspondent clicked “send” and “reply,” they were sealing a new deal that the seller could not avoid even though it was in an electronic form.
John Moorman and his fianc?e, Kathleen Barrett, recently married at the all inclusive Beaches resort on Turks and Caicos Island in April. John’s three children, Alexis (16), Jake (14) and Krista (13) and Kathleen’s two children, Jennie (20) and Cameron (16) also traveled with them for vacation and to attend the wedding. Kathleen works as a Certification Coordinator for TUV SUD American, Inc. in Peabody. John and Kate will continue to reside in Danvers.
John A. Murphy recently became engaged to his longtime girlfriend, Ruth Mendonca. Ruth is a United State Postal Inspector. John and Ruth plan to get married in June, 2010.
Our new runner, Hunter Hrab, recently graduated from State University of New York (SUNY) at Plattsburgh with a degree in business and a minor in finance. He eventually wants to get a Masters in Public Policy. Hunter is originally from Long Island but now calls Boston his home. He is an avid skier.
Kaitlyn Brennan recently joined the firm as Jon Friedmann’s legal assistant. Kaitlyn has a degree in Criminal Justice from Northeastern University and has worked as a legal litigation assistant in Boston for five years prior to joining Rudolph Friedmann LLP.