On August 17, the Massachusetts Office of Consumer Affairs and Business Regulation ("OCABR") issued another revision to the state's data security rules, set forth in 201 CMR 17.00 ("Rules"). The Rules impose significant requirements on those possessing personal information of state residents, including those based outside Massachusetts. As part of the most recent revision, the effective date of the Rules has been changed to March 1, 2010. OCABR also issued a new list of frequently asked questions ("FAQs") about the Rules and announced that an additional public hearing on the Rules will be held on September 22, 2009. Since their original release in September 2008, the Rules have been amended twice and their effective date repeatedly has been delayed, as discussed in Goodwin Procter's September 29, 2008 and February 13, 2009 Client Alerts.

The new version of the Rules and the FAQs:

  • Revise the definition of "encrypted" to a more technology-neutral standard. Previously, an algorithmic process or alternative process at least as secure was required.
  • Broaden the scope of the Rules to include (in the definition of "owns or licenses") any person that "otherwise has access to personal information in connection with the provision of goods or services or in connection with employment."
  • Define "service provider" and modify requirements for overseeing them. An entity subject to the Rules is no longer going to be required to take "all reasonable steps" to verify a service provider's capacity to protect personal information, but is still required to "select and retain third-party service providers that are capable of maintaining appropriate security measures" and to require service providers "by contract to implement and maintain such appropriate security measures."
  • Modify the duty to protect personal information by a comprehensive information security program to allow the administrative, technical and physical safeguards to be "appropriate" to the size, scope and type of business; the amount of resources and data; and the need for security and confidentiality of the data. Previously, the duty was that the safeguards were to "ensure the security and confidentiality." This modification is consistent with the Rules' accompanying press release, which outlines a more risk-based approach.
  • Mandate certain computer system security measures only "to the extent technically feasible." According to the FAQs, encryption of data may not be required for certain mobile devices such as cell phones, Blackberries and similar devices, as there is no generally accepted encryption technology currently available. However, the FAQs note that technology for the encryption of personal information on laptops is available and cautions that where not technically feasible to encrypt, one should "take appropriate steps to secure and safeguard" the personal information. The FAQs also state that the Rules require encryption of backup tapes on a "prospective basis" and as technically feasible for other circumstances, such as transporting existing backup tapes.
  • Eliminate the specific obligations about the collection and retention of, and access to personal information. The Rules also eliminate the requirement to inventory all paper and electronic records to determine which records contain personal information.
  • Deem certain existing service provider contracts entered into prior to the effective date of the Rules as in compliance with the Rules.
  • Do not further define financial account, but the FAQs state that an insurance policy number qualifies as a "financial account number" if the number "grants access to a person's finances, or results in an increase of financial burden, or a misappropriation of monies, credit or other assets."

The FAQs and press release issued with the Rules note that the Rules intend for a risk-based approach to data security and that revisions were made to assist small businesses that do not handle significant amounts of personal information.

p> Goodwin Procter LLP is one of the nation's leading law firms, with a team of 700 attorneys and offices in Boston, Los Angeles, New York, San Diego, San Francisco and Washington, D.C. The firm combines in-depth legal knowledge with practical business experience to deliver innovative solutions to complex legal problems. We provide litigation, corporate law and real estate services to clients ranging from start-up companies to Fortune 500 multinationals, with a focus on matters involving private equity, technology companies, real estate capital markets, financial services, intellectual property and products liability.

This article, which may be considered advertising under the ethical rules of certain jurisdictions, is provided with the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin Procter LLP or its attorneys. © 2009 Goodwin Procter LLP. All rights reserved.