Deloitte hosted an executive roundtable on Massachusetts Data Protection. The room was packed full of us trying to figure what to do with these regulations.
Mark Schreiber of Edwards Angell Palmer & Dodge kicked things off with a look at the history of the regulation and the regulators view of the regulations. The regulators acknowledge that the regulations are burdensome. Tough!! they say. “Look at all of the data breaches!”
The regulations started with the MGL c. 93H addressing data breaches and Section 2(a) of MGL c. 93H providing for the promulgation of regulations. Waht came out were some of the toughest regulations in the country. There are no exemptions for industry, sector or size. If you have personal information on a Massachusetts resident you need to comply. That means every company with operations in Massachusetts and any company with information on a Massachusetts resident. These regulations go beyond the Red Flag Rules from the FTC.
Companies to address whether they are going to implement full enterprise protection or merely selective protection. If you can isolate the data on Massachusetts people you can treat that differently than other data.
The panelists also brought up the concept of “data in motion” versus “data at rest.” You need to look at how you are transmitting data as well as how it is stored.
What happens if you do not comply? There is no private right of action under the statute or regulations. But there will be law suits under these statutes. The panel foresees two types of class action suits coming out the law. One will be a negligence claim for allowing a data breach. The law creates the standard. Failure to comply with the law is negligence per se. They also see suits over the failure to properly notify the individuals affected by the data breach.
Audience poll: How many have a team assembled to implement the new regulations:
- 72% Yes
- 24% No
- 4% Not sure
Audience poll: How many have read the new regulations and guidance:
Audience poll: How many have addressed whether to do selective encryption or selective protection:
- 29% Yes
- 62% No
- 9% Not sure
Everyone who said yes has decided to use encryption.
The panel moved on to stress the importance of ownership of the Written Information Security Policy required by the law. You need to address the physical requirements as well as the electronic requirements. This requires a team approach, including HR, compliance, IT and building security.
You also need to focus on how to handle data security breaches. The Massachusetts statute as well as other states have a very short time frame for notification. less than half the audience had a well defined plan or even a somewhat defined plan.
On the training front, you need to decide on a discipline for failure to comply. You also need to decide who to train and the level of training.
Audience poll: How many have training programs on information security:
- 30% Training for all employees
- 13% Training for selected employees
- 52% None
- 5% Not sure
The paradigm of the Massachusetts law is that you should only collect the information you need, store it for only the time needed and make it available only to the people who need it.
In assessing the biggest challenges to complying with the law the audience found indentifying and assessing risks to be the biggest challenge. 53% of the audience has not done an audit of personal information sources. 49% of the audience does not monitor access to personal information.
Vendor management is another big issue under the law. If you share personal data with vendors, they need to be in compliance with the law. The law requires a certification of compliance, but there is no standard form of certificate. the firs step is to identify vendors and then to assess the risk profile for that vendor. 59% of the audience had not identified vendors that handle personal data.
As part of vendor management, you will need to continually monitor vendors that share personal data. You need to negotiate compliance into the vendor agreements and include oversight provisions. You need to incorporate vendor risk management as part of the governance program.