Baer Business Law – Greater Philadelphia Area – Intellectual Property Law – Business Law – E Commerce – Contracts – Trademarks – Copyrights

OK, sorry for the hiatus. As promised, here is a fuller take on the amendments to 201 CMR 17.00 issued by the Massachusetts Office of Consumer Affairs & Business Regulation (OCABR) a couple of weeks ago.

First, the new version reflects an abandonment of the “prescriptive” (i.e., top-down, technology-specific) regulatory approach that characterized the previous version of 201 CMR 17.00 issued in February 2009. To put it bluntly, that version scared the living hell out of recession-battered small businesses with its insistence on using 128-bit encryption to safeguard personal information stored on portable devices or transmitted wirelessly or across public networks, and a host of other computer security fiats that could have required the addition of costly IT infrastructure. 201 CMR 17.00 would have been the most stringent data security regulation in the country and would have affected millions of businesses and organizations outside Massachusetts, indeed, anyone who owned or licensed personal information about a Massachusetts resident.

As the OCABR proudly explained when it unveiled the redraft, the new, mellower 201 CMR 17.00 more emphatically adopts the flexible risk-based approach used by federal law, such as the FTC’s Safeguards Rule implementing the security requirements of the federal Gramm-Leach-Bliley Act (GLBA). Organizations other than Massachusetts governmental entities that own or license personal information (first name or first initial and last name, together with Social Security, driver’s license or state ID card number, or financial account, credit or debit card number) relating to a Massachusetts resident must still implement a comprehensive written information security program containing administrative, technical and physical safeguards, but it is clear now that the appropriateness of the safeguards will depend on the size, scope and type of business, the amount of resources available to the business, the amount of stored data, and the need for security and confidentiality of consumer and employee information.

While all information security programs must still meet some general requirements (such as designating employees responsible for their maintenance, risk assessment and evaluation of current safeguards, reasonable restrictions on physical access to records containing personal information, oversight of service providers through an appropriate selection process and contracting, developing employee security policies for the storage, access and transportation of personal information outside of business premises, preventing terminated employees from accessing personal information, documenting responses to data breach incidents, etc.), gone are the more onerous requirements, such as identifying all systems and storage media containing personal information and imposing a rigorous system of limiting the extent and duration of access by personnel to personal information. (These former requirements will now be used as guidance only.)

Another notable change is that the computer system security requirements in the regulation will now apply only to the extent technically feasible for the business. In its FAQ’s, the OCABR defines “technically feasible” as indicating the existence of “a reasonable means through technology to accomplish a required result.” This qualifier has enormous significance for the requirement to encrypt personal information stored on portable devices or transmitted wirelessly or across public networks. For example, while encryption of backup tapes on a going-forward basis is required, a business may not be required to encrypt a tape being transferred from current storage (although it should consider alternate protections depending on the amount and sensitivity of the information). Likewise, the OCABR has indicated that it may not enforce the encryption requirement for Blackberries, iPhones and similar devices, since there is currently no generally accepted encryption technology, but will for laptops.

Not only is the encryption requirement now subject to technical feasibility, but it is also technology neutral. No longer will businesses be required to use an encryption standard of 128-bit or higher.

There have also been some changes to the requirement to oversee service providers with whom personal information is shared. First, as the statute has become less onerous, the requirement to select service providers capable of compliance has become correspondingly lighter. Secondly, the regulation is now in conformance with the FTC’s Safeguards Rule under GLBA; businesses must take “reasonable steps” to select service providers capable of maintaining appropriate security measures for personal information and must require them to do so by contract. (However, any contract entered into prior to March 1, 2012 will not be considered non-compliant even if it lacks these provisions, as long as it was entered into prior to March 1, 2010.)

Finally, the date by which businesses must be compliant with 201 CMR 17.00 has been pushed back to March 1, 2010 (from January 1, 2010), another concession to the jitters experienced by small and medium-sized businesses (SMB’s) since the inception of this regulation in late 2008. (It is even possible that the regulation will be further amended, since the OCABR has invited public comment and will hold a hearing in Boston on September 22.)

Is 201 CMR 17.00 less scary now? Yes, but how much depends on whom you ask. For regulated financial services companies or businesses used to complying with the Payment Card Industry Data Security Standard (PCI DSS), HIPAA or GLBA, the amended Massachusetts regulation requires little or nothing that they are not already doing. However, it is still more stringent and formalistic in terms of administrative process than any other state’s data security law (including even California’s!) and will represent a major cultural shock for SMB’s who up to now have not had to think systematically about security (and may not have a CTO or information security officer on staff). Furthermore, based on my own experience, some managers who are used to purchasing IT services quickly, based on lowest available pricing, may chafe at the service provider due diligence and contracting requirements, although these requirements can actually be satisfied fairly easily.

With March 1, 2010 rapidly approaching, businesses will need to take a good hard look at themselves, assess the risk and the resources available to mitigate it, and determine whether their need to store and transmit personal information is great enough to justify the extra costs of compliance.