By Karl Siganporia, Esq.
What’s brewing in Massachusetts?
Nearly four years ago, the Massachusetts Office of Consumer Affairs and Business Regulation—pursuant to the authority of Massachusetts G.L.c. 93H—enacted a mostly unpublicized regulation designed to protect the personal information of Massachusetts residents. Massachusetts regulation 201 CMR 17, entitled “Standards for the Protection of Personal information of Residents of the Commonwealth”, established a March 1, 2010 compliance deadline for “every person that owns or licenses personal information about a resident of the Commonwealth [of Massachusetts].” The full text of the regulation can be found here.
Much of the regulation mandates prevalent best practices with respect to customer data protection, such as control of user IDs and other identifiers, a reasonably secure method of assigning and selecting passwords, and encryption of personal information that will travel across public networks.
Put it in writing!
The regulation contains a unique component with which many companies, particularly small to medium sized businesses, likely have not complied. The regulation requires development, implementation, and maintenance of a “comprehensive information security program.” This written document should include, among other things: (1) designation of one or more employees to maintain the comprehensive information security program; (2) risk assessment and risk mitigation; and (3) security policies relating to storage, access, and transportation of personal records outside of business premises; (4) ongoing employee training program; (5) implementation of disciplinary measures for violations of the comprehensive information security program; and (6) documentation of responses to any breach in security.
These requirements, while not especially onerous, are part of a regulation that has flown fairly under-the-radar for most of its existence, despite its wide ranging applicability. (One would imagine that there are hundreds of thousands of businesses that own or license the personal information of at least one Massachusetts resident!)
Beware the company (or companies) you keep
A noteworthy aspect of the information security plan is the requirement that businesses monitor their service providers—by taking reasonable steps to select third-party service providers that comply with the regulation, and by contractually requiring third-party service providers to implement and maintain the security measures required by the regulation.
Given that most of the regulation encompasses best practices that reputable vendors would already be following, there are three major takeaways from this requirement:
(1) Businesses should have a process in place to choose service providers that comply with 201 CMR 17;
(2) In particular, businesses should ensure that the third-party service providers they select have a written information security plan; and
(3) Compliance with 201 CMR 17 should be included as a contractual requirement when obtaining services from third-party providers that involve consumer data—at least those which involve the personal information of Massachusetts customers.
As described above, this regulation was enacted by the Massachusetts Office of Consumer Affairs and Business Regulation—pursuant to the authority of Massachusetts G.L.c. 93H. Section 6 of chapter 93H provides, with respect to enforcement, that “the attorney general may bring an action pursuant to section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter and for other relief that may be appropriate.”
The Massachusetts Office of Consumer Affairs and Business Regulation issued a memorandum with further details regarding how best to comply with 201 CMR 17. The memorandum can be found here.
The Massachusetts Supreme Court, in its recent holding on Tyler v. Michaels Stores (464 Mass. 492 (2013)), asserted that ZIP codes constitute personally identifying information. As such, the mishandling of zip codes when processing credit card transactions can “give rise to a legal claim against the retailer for unfair and deceptive practices.”
 For the purposes of this regulation, a “person” may be an individual, corporation, association, partnership, or other legal entity.