11/26/2008
If You Collect "Personal Information" About Your Customers, Take Note
Background: The Massachusetts Office of Consumer Affairs and Business Regulation originally proposed regulations to take effect beginning on Jan. 1, 2009, with which every business owner who collects and maintains personal information about another resident of Massachusetts should be familiar.
The regulations (201 CMR 17.01-17.04) define what personal information must be protected and specifies what must be done to safeguard that personal information, including any portion of the person's name connected with a Social Security, driver's license or financial account number, and applies to records that are kept on paper or electronically and to any person, corporation, partnership, or other legal entity.
What the regulation says: First, the regulation requires you to develop, maintain and monitor a comprehensive written information security program for any personal information collected.
Whether your program is in compliance will depend on whether:
- an employee or employees have been specifically designated to maintain the program;
- risks to security and confidentiality are reasonably identified and the effectiveness of current safeguards for limiting risks are improved through employee training, means for detecting and preventing security breaches, and checks on employee compliance with policies;
- security policies are developed for employees' use of, access to, and transport of personal information outside the work premises;
- disciplinary measures are taken for violation of the policies;
- terminated employees are prevented from accessing records containing personal information;
- third-party providers with access have verified their capacity to protect personal information in writing;
- all paper and electronic records containing personal information have been identified and physical access to such records has been reasonably restricted;
- your security program is regularly monitored to ensure compliance and safety, including minimally an annual review; and
- responsive actions to a breach of security and post-incident review have been documented.
Secondly, the regulation requires that those entities that maintain personal information by computer include within their security program a security system. The security system must include secure user authentication, secure access control measures, encryption of all transmitted records and files containing personal information and of all data that will be transmitted wirelessly (if "technically feasible), encryption of all information stored on laptops or other portable devices, monitoring of all systems for unauthorized use, firewall protection for information stored on a system connected to the Internet, reasonably up-to-date security system software, and education and training of employees.
The small business impact statement issued with the regulations admits to expenses for each small business that could be several thousand dollars up front with annual maintenance fees of hundreds of dollars depending on the current state of the particular business's computer system. Although cost estimate are preliminary, it is likely that total expenses for the small business community in Massachusetts will exceed $1 billion,
What NFIB is doing: NFIB has joined with several business organizations to request significant delay (one year) in the implementation of the entire regulation. NFIB has suggested that requiring Massachusetts small businesses to obtain third-party verification be delayed for two years to Jan. 1, 2011. Finally, NFIB has requested that the encryption requirement apply only when computer systems are upgraded.
The Office of Consumer Affairs has issued revised regulations that delay the general effective date of the regulations to May 1, 2009. The requirement to encrypt portable devices other than laptop computers is delayed until Jan. 1, 2010. The requirement to ensure that all third-party vendors (customers, suppliers, etc.) protect personal information in accordance tithe the MA regulations is delayed until Jan. 1, 2010.
Since compliance with these regulations may be difficult and expensive for many small businesses, I urge all to familiarize yourself with the new rules and seek advice on necessary steps as soon as possible. For assistance with compliance, pleas consult the Massachusetts Department of Consumer Affairs Web site, click on the "For Businesses" tab and click on ID Theft.
