In the past few years, Massachusetts has adopted stringent rules with respect to the handling of personal information. One of these rules, the Massachusetts data protection regulation, 201 CMR 17.00, requires businesses that receive, maintain, process, or have access to certain personal information of Massachusetts residents to design, implement and comply with a comprehensive written information security plan (WISP).
Most cloud users may encounter insurmountable obstacles.
A first implementation deadline required all businesses subject to the regulation to adopt WISPs for their operations by March 1, 2010 and to include a requirement for the adoption of WISPs in their services agreements executed after March 1, 2010. Massachusetts 201 CRM 17.00 contained a safe harbor, which gave businesses a little more time with respect to their existing contracts with service providers and data processors that have access to protected personal information if these contracts were already in place as of March 1, 2010. The two-year grace period was to allow for time to amend or renegotiate these services agreements and ensure all service providers of a business also comply with the requirements to adopt a WISP.
The end of the grace period is right around the corner. By March 1 companies that collect, process, use or store protected information of their Massachusetts employees, contractors, customers, prospects, business contacts and other third parties, directly or through cloud computing and other IT service providers, must fully comply with the regulation in their own operations, and must require their service providers to do the same.
201 CMR 17.00: What personal information is protected?
Only certain categories of personal information (“protected information”) are covered. The regulation is intended to protect files and records that contain a person’s first and last name (or first initial and last name) combined with any of the following information:
+ Social Security number
+ Driver’s license number
+ State-issued ID card number
+ Financial account (such as bank account, insurance account)
+ Credit or debit card number
Companies that fail to develop, implement and maintain a comprehensive WISP or to require their cloud and other service providers, in writing, to do the same may be subject to a $5,000 civil penalty for each violation. Think of the number of files or records in your database, and compute the potential financial exposure for your own company.
201 CMR 17.00: What is required?
The Massachusetts regulation contains a long list of data protection requirements, including:
+ Designating one or more employees to maintain the comprehensive information security program;
+ Developing and implementing a comprehensive written information security program that contains administrative, technical and physical safeguards appropriate to the size, scope and type of business;
+ Implementing special security measures for computer systems and wireless systems;
+ Implementing secure user authentication and access controls;
+ Encrypting all records and files containing personal information that will travel across public networks or are transmitted wirelessly;
+ Using reasonably up-to-date versions of system security agent software that includes malware protection and reasonably up-to-date patches and virus definitions;
+ Using monitoring systems to detect unauthorized use or access;
+ Ongoing monitoring of company’s compliance with the information security program;
+ Ongoing employee training;
+ Using reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal information consistent with the regulation and any applicable federal regulations;
+ Entering into written contracts with these service providers;
+ Reviewing the scope of the information security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
201 CMR 17.00: What does this means for cloud users?
Massachusetts 201 CMR 17.00 poses significant problems to most cloud users. It requires companies to mandate their cloud computing service providers -- and other service providers -- adopt a WISP, and the WISP must be adapted to the nature of the personal data to be protected and the specific risks to these data. Cloud computing agreements tend to be one-size-fits-all, with little or no room for negotiations. Unless a company does significant business with a cloud service provider, it may have major difficulties trying to negotiate a contract that applies to its business and that incorporates all requirements of the Massachusetts regulation. Furthermore, cloud service providers are generally reluctant to make specific promises about the nature of the security measures made. Thus, most cloud users may encounter insurmountable obstacles.
However, inability to negotiate the proper contract and lack of bargaining power will not be an excuse for the custodians of personal information protected under 201 CMR 17.00. If data is lost, modified, or compromised due to inadequate security, a company that failed to implement the comprehensive security measures required by the Massachusetts regulation or that did not adequately ensure its cloud service providers comply with the Massachusetts regulation will be exposed to significant legal and financial liability, damages and penalties.
The March 1 deadline provides an opportunity for users of cloud services to reassess their security compliance obligations. It would be very risky and imprudent to hold personal information protected under the Massachusetts regulation without the proper internal security measures or without ensuring cloud service providers that hold protected personal information also comply fully with the regulation.
The IT Law Group has published a more detailed description of Massachusetts 201 CMR 17.00 requirements.
About the author:
Francoise Gilbert focuses on information privacy and security, cloud computing, and data governance. She is the managing director of the IT Law Group and serves as the general counsel of the Cloud Security Alliance. She has been named one of the country’s top privacy advisors in a recent industry survey and, for several years, has been recognized by Chambers USA and Best Lawyers in America as a leading lawyer in the field of information privacy and security. Gilbert is the author and editor of the two-volume treatise Global Privacy & Security Law, which analyzes the data protection laws of 65 countries on all continents. She serves on the Technical Board of Advisors of the ALI-ABA and co-chairs the PLI Privacy & Security Law Institute. This article only reflects her personal opinion and not that of her clients or the Cloud Security Alliance.