Massachusetts Has the Toughest Personal Information Data Security Standards

The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has issued the final version of regulations that establish a standard for the protection of personal information stored in paper and electronic records by private businesses. Deval L. Patrick, Governor of  Massachusetts, also signed an executive order that requires state agencies to conform to the same regulations.

“The provisions of this regulation apply to all persons that own, license, store or maintain personal information about a resident of the Commonwealth,” is noted in the document, where “personal information” is defined as the first and last name combined with other personal identification data such as Social Security number, driver's license number, financial account information and credit or debit card number. It is notable that SSNs or credit card numbers alone are not lawfully regarded as personal information.

The regulations come to extend on the provisions of the identity theft prevention law enacted last year and some of the more notable requirements are appointment of a Chief Information Security Officer in each company, restriction of employee access to such data, additional monitoring for malicious network activity, securing authentication protocols, imposing disciplinary measures for protocol violation and data encryption. A lot of these requirements are a consequence of a recent OCABR report regarding the data breach notifications received in accordance with the identity theft law.

The report analyzes 318 incidents that affected over 625,000 Massachusetts residents. Out of the 318 data breach incidents, only ten involved encrypted data and 69 involved password-protected data. Furthermore, it is noted that approximately 40% of the incidents resulted from employee errors and that 75% occurred in institutions from the financial services sector.

These regulations come in effect beginning January 1, 2009. However, Jon B. Hurst, president of the Retailers Association of Massachusetts, thinks small businesses might not have the necessary time to comply with all the requirements. "Perhaps six or 12 months would be better," he said for The Boston Globe. OCABR Undersecretary Dan Crane noted that, in his opinion, “the guidelines are reasonable in terms of cost and scope and promise to give consumers greater peace of mind that every effort is being made to minimize their exposure to identity theft and fraud”.

The new unified standard regarding the prevention of personal information disclosure that applies to both the private sector, through the OCABR regulations, and the public sector, through the Governor's executive order, puts Massachusetts ahead of all the other states when it comes to breach notification and data security laws. "This executive order, in conjunction with the new regulations, demonstrates that we put a premium on consumer protection and are holding ourselves to the same high standards we now expect private companies to follow," said Governor Patrick.