Compliance Reminder — Massachusetts Data Security Regulations Effective March 1, 2010

Posted on by

The Massachusetts Office of Consumer Affairs and Business Regulation has issued Regulations, effective March 1, 2010, that will apply to any businesses (including advisory and asset management firms) who own or license personal information about a resident of the Commonwealth of Massachusetts (i.e, your customers or your employees).  The focus of the Regulations is to ensure better protection of that personal information.  You can view the Regulations here.

The Regulations define “personal information” as a Massachusetts resident’s first name and last name (or first initial and last name) in combination with any one or more of (a) Social Security number, (b) driver’s license number or State issued ID card number; or (c) financial account number or credit/debit card number that would permit access to the resident’s financial account.

In summary, the Regulations require the business to develop, implement and maintain a “comprehensive information security program.”  This program should contain administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of your business; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.  The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated (e.g. Regulation S-P).  The Regulations provide some specifics about content of the information security program, including but not limited to designating someone to maintain the program, risk identification and assessment as to effectiveness of the program, security policies related to storage, access and transportation of personal information, disciplinary measures for violations, preventing terminated employees from accessing such information, oversight of service providers, reasonable restrictions upon physical access to such personal information, and regular monitoring to ensure that the program continues to operate in a manner that is reasonably calculated to prevent unauthorized access to, or use of, such personal information (with upgrades to the program as needed).

The Regulations also call for “computer system security requirements.”  In summary, if you electronically store or transmit personal information, then your security program shall include the establishment and maintenance of a security system covering your computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements: (1) Secure user authentication protocols (e.g., control of user IDs, a reasonably secure method of assigning/selecting passwords, control of data security passwords, restricting access to active users and active user accounts only, and blocking access to user identification after multiple unsuccessful attempts to gain access); (2) Secure access control measures that restrict access to personal information to those who need such information to perform their job duties, and that assign unique identifications plus passwords to each person with computer access (reasonably designed to maintain the integrity of the security of the access controls); (3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (4) Reasonable monitoring of systems, for unauthorized use of or access to personal information; (5) Encryption of all personal information stored on laptops or other portable devices; (6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information; (7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions; and (8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

The above is only a summary of the Massachusetts Regulations and is not intended as a complete, detailed description of its requirements.  You are encouraged to review the Massachusetts regulation and determine the impact, if any, that it will have on your existing privacy policies and procedures.  As stated above, the Regulations will go into effect on March 1, 2010.

This entry was posted in Compliance Alert by Patrick. Bookmark the permalink.

About Patrick

Pat is a Partner and Managing Director at HedgeOp Compliance, LLC. Prior to joining the team in August of 2003, Pat served as Assistant Counsel for Baring Asset Management Inc., where he was responsible for general compliance oversight and legal support in the areas of product development, marketing and distribution. Prior to this, Pat worked for Scudder Investments with responsibility for various compliance functions within its retirement plan and trust departments. Patrick received a JD degree from New England School of Law and a B.A. from the College of the Holy Cross. Pat is certified as an Investment Adviser Certified Compliance Professional (IACCPsm) by National Regulatory Service's Center for Compliance Professionals. Pat currently runs HedgeOp's Boston office.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>