Massachusetts Issues Final Data Security Regulations
On November 4, 2009, the Massachusetts Office of Consumer Affairs and Business Regulations announced that it promulgated final data security regulations to take effect on March 1, 2009. In a previous blog post, I described imminent changes to the regulations and some of the history of the Massachusetts regulations. The final regulations appear at Title 201 of the Code of Massachusetts Regulations, Section 17.00 and following, and their purpose is to reduce the loss of sensitive personal information. In general, the regulations call for people and businesses holding certain personal information about Massachusetts residents to develop, implement, and maintain a comprehensive written information security program with safeguards to minimize the risk of identity theft.
A copy of the final data security regulations is linked here.
Last year and earlier this year, the Office postponed the effective date of the regulations to provide some additional time to make examine the effect of the regulations, especially on small businesses, and to make some adjustments to them. In September 2009, the Office held a hearing on further changes to the regulations, with the idea that the Office’s next step would be to file new regulations to serve as the final set. The Office, in turn, filed the final regulations on Wednesday.
I have compared the November final regulations to the September interim regulations, and note that the only changes in the final version relate to: (1) the scope of the law regarding the storage of personal information and (2) rules regarding service providers who have access to personal information on behalf of persons subject to the regulations.
1. Storage as a Covered Activity
The final regulations add the word “stores” from the definition of “owns or licenses.” By way of background, the regulations cover each person that “owns or licenses” personal information about a Massachusetts resident (and “personal information” is defined in the regulations). Under the previous definition of the phrase, a person “owns or licenses” personal information only if he or she “receives, maintains, processes, or otherwise has access to personal information” in providing goods or services or employment. Code of Massachusetts Regulations, Title 201, Section 17.02. The new version adds "stores" to the definition to make it clear that storage is a covered activity.
Likewise, the word “stores” now appears in the definition of “service provider.” Under the final regulations, a “service provider” is “any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation.” 201 C.M.R. 17.02.
The Office of Consumer Affairs and Business Regulations clearly wanted to coverage the storage activity and storage vendors. Nonetheless, as a practical matter, the addition of the word “stores” to the regulations does not change the scope of the regulations much, if at all. Under the previous language of the regulations, storage service providers would likely have been covered anyway. First, merchants and service providers that “maintain” personal information would be covered, and if they are storing personal information over time, they are arguably “maintaining” that personal information. Second, the regulations still had a “catch-all” statement covering persons that have “access” to personal information. Merchants and service providers storing personal information will presumably have access to it, and so apparently would be covered. In any case, though, the new language removes all doubt and covers the storage of personal information and storage vendors.
2. Changes Relating to Service Providers
The final regulations make a number of technical amendments to clarify the obligations of service providers who handle personal information for persons subject to the regulations. First, a new provision omits an exclusion under the previous version that said the U.S. Postal Service is not a covered “service provider.” That provision concerns the definition of “service provider.” 201 C.M.R. 17.02. By omitting that exclusion, the U.S. Postal Service could, in theory, be a service provider requiring covered businesses to ensure its compliance, although it may not be common for the U.S. Postal Service to be acting in that role.
Second, the final regulations clarify the concept that until March 1, 2012, service provider contracts are still in compliance with the regulations, even if they do not call for security measures for personal information, if the contracts were entered into before March 1, 2010. After March 1, 2012, however, service provider contracts must provide for security measures for personal information, even if they were entered into before March 1, 2010. Thus, the regulations provide for a two-year transition period in which persons subject to the regulations using service providers must put into place contracts to implement and maintain appropriate security measures for personal information. 201 C.M.R. 17.03(2)(f)(2).
Partner, Cooke Kobrick & Wu LLP