Breach Notification – Massachusetts

Massachusetts’ data breach notification and security law (M.G.L. c. 93(H)) requires that, in the event of a data security breach, entities that own, license, store, maintain or process the personal information of residents of Massachusetts must notify: (a) all such affected residents; (b) the Massachusetts Attorney General; and (c) and the Director of the Office of Consumer Affairs and Business Regulation (OCABR). The law also requires anyone who “maintains or stores” personal information to provide notice of a breach to owners and licensors.

Further regulations issued by OCABR (201 CMR 17.00) adopt regulations designed to further safeguard the personal information of Massachusetts residents. Established in March 2010, the regulations set minimum security standards for owners and licensors of personal information.

By both statute and regulation, Massachusetts has requirements for both: (a) ongoing data security obligations; and (b) notification requirements in the event a data breach.

Who is affected?
From January 1, 2008 through December 2013, the Massachusetts Attorney General’s Office received 4,684 breach notifications, affecting approximately 4.75 million Massachusetts residents.

Person is defined as “a natural person, corporation, association, partnership or other legal entity,” including persons who reside or do business outside the state.

Thus, a researcher would have to comply, even if they have no formal or direct connection with Massachusetts. All that would be required to trigger the law is for the market research firm to be provided (by a client or other third party) a data-set that contains personal information (as defined below) of a Massachusetts resident.

Personal information is defined as a resident’s first name and last name in combination with any one or more of the following:

social security number; and/or
driver’s license number or state-issued identification card number; and/or
financial account number, or credit or debit card number.
Note that this definition, like those in most states’ laws, does not include data commonly collected as part of the research process. However, it will likely apply to employees’ data or data provided in customer/client businesses.

What constitutes a security breach?
The law is triggered when a person “knows or has reason to know” of a breach of security or that personal information was acquired or used without authorization.

The law defines a breach of security as an unauthorized acquisition or use of data “that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth.” The law also provides that a “good faith but unauthorized acquisition of personal information [for lawful purposes] is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.” And unlike the majority of state data security breach notification laws, Massachusetts defines a breach of security to include hard copy, as well as electronic data.

What is required in the event of a breach?
If a person does not own or license personal information, but merely maintains or uses the information, the person must provide notice to the owner or licensor in the event of a breach. When you know or have reason to know (a) of a breach of security, or (b) that personal information of a Massachusetts resident was acquired by or used by an unauthorized person or used for an unauthorized purpose, you must notify “as soon as practicable and without unreasonable delay”:

the Attorney General (AG);
the director of OCABR; and
all affected residents of Massachusetts.
Notice to the AG and the director of OCABR must include:

the nature of the breach of security or unauthorized acquisition or use;
the number of residents of the commonwealth affected; and
any steps the person or agency has taken or plans to take relating to the incident.
Notice to residents must include:

the resident’s right to obtain a police report;
how a resident requests a security freeze and the information necessary for the request; and
any fees required to be paid to any of the consumer reporting agencies
The Massachusetts AG’s Office provides sample notification letters.

If more than 500,000 residents are affected, if the cost of giving written notice would exceed $250,000, or if the person has insufficient contact information, the person may give “substitute notice.” The regulations define “substitute notice” as:

electronic mail notice, if the person or agency has electronic mail addresses for the members of the affected class of Massachusetts residents;
clear and conspicuous posting of the notice on the homepage of the person or agency if the person or agency maintains a website; and
publication in or broadcast through media or medium that provides notice throughout the commonwealth.
What are the requirements to secure personal information?
To reduce the risks of a security breach, Massachusetts regulations require the development, implementation, and maintenance of a comprehensive information security program. Specifically, the program must include:

designating one or more employees to maintain the program (such as a privacy officer)
identifying and assessing reasonably foreseeable risks to the security of data, and evaluating and improving the effectiveness of the current safeguards for limiting such risks, including but not limited to:
ongoing employee training;
employee compliance with policies and procedures; and
means for detecting and preventing security system failures.
developing security policies for employees relating to the storage, access, and transportation of records containing personal information
imposing disciplinary measures for violations
preventing terminated employees from accessing records containing personal information
overseeing service providers by:
selecting third-party service providers that are capable of maintaining security; and
requiring third-party service providers by contract to implement and maintain such appropriate security measures for personal information. (Through and including March 1, 2012, the regulations exempt contracts entered into before March 1, 2010)
reasonably restricting physical access to personal information and storing such data in locked facilities, storage areas, or containers
regularly monitoring to ensure that the program is operating properly, and upgrading information safeguards as necessary to limit risks
reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information
documenting responsive actions taken in connection with any breach of security, and conducting mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.
Additionally, if a person stores or transmits personal information electronically, the person shall include in its program the establishment and maintenance of a security system covering its computers and wireless systems that has the following:

secure user authentication protocols including
control of user IDs and other identifiers
a secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices
passwords kept in a location and format that does not compromise security
restricting access to active users and active user accounts only
blocking users after multiple unsuccessful attempts to gain access
secure access control measures that:
restrict access to records and files containing personal information to those who need such information to perform their job duties
assign unique identifications plus passwords to each person with computer access
encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly
reasonable monitoring of systems for unauthorized use of or access to personal information
encryption of all personal information stored on laptops or other portable devices
reasonably up-to-date firewall protection and operating system security patches
reasonably up-to-date versions of system security agent software, which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis
education and training of employees on the proper use of the computer security system and the importance of personal information security.
Penalties and consequences for failure
By law, the AG “may bring an action pursuant to section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter and for other relief that may be appropriate.”

Section 4 provides that if a person “knew or should have known” that he was violating the law, there may be “a civil penalty of not more than five thousand dollars for each such violation” and the person may also be required to pay “reasonable costs of investigation and litigation of such violation, including reasonable attorneys’ fees.”

The penalties assessed in the cases settled so far have varied, based, to a degree, on the number of affected consumers. A Boston restaurant settled a case for $110,000 in which the personal information of “tens of thousands” of customers was compromised, while a South Shore, MA hospital settled a case for $750,000 in which the personal information of 800,000 individuals was compromised. A property management firm was ordered to pay $115,000 when a laptop was stolen which contained the personal information of a mere 600 Massachusetts consumers.

Although the law allows private consumers to file lawsuits, they would have to prove actual harm, rather than claiming the civil penalty. So far, there have been no successful private causes of action. The real risk to data owners and licensors is being sued by the AG.

Five compliance “take-aways”
If you are located in Massachusetts, or conducting research nationwide, you should begin by analyzing datasets for Massachusetts residents or employees. If Massachusetts residents or employees are found, and you have access to “personal information” as defined by Massachusetts law, you must comply, and develop a comprehensive data security policy.

Step One: Designate one or more persons as a security coordinator (or privacy officer).

Step Two: Develop written guidelines in light of current state and federal laws. Consider such factors as the size of your business; the amount of personal information that is stored; access to the personal information; how you dispose of the personal information, etc. Implement the program as required by the regulation. Businesses that electronically store data should mind the additional requirements.

Step Three: Investigate, analyze, train, and execute policies in accordance with the program.

Step Four: Negotiate and enforce contractual obligations (including appropriate representations/warranties/covenants and indemnification provisions to mitigate risk) with service providers and vendors, ensuring that they comply with the applicable Massachusetts provisions.

Step Five: If there are any security breach violations, respond to the incidents and notify according to the Massachusetts security breach notification law (M.G.L. c. 93(H)), and then modify your written comprehensive plan accordingly. Based on those modifications, the implementation of a new plan of action to investigate, analyze, train, and execute against breaches will be required.