Massachusetts has revised its data privacy regulations one more time. The revised regulations are less demanding that the original version released over a year ago. But this law is the strictest in the country and will be the de facto law of the land for many companies.
Office of Consumer Affairs and Business Regulation released a press release announcing that revised regulations have been filed with the Secretary of State and published on the OCABR website.
Fortunately, Gabriel M. Helmer of Foley Hoag’s Security & Privacy practice produced a redline showing the changes.
There are very few changes to the regulations that were released in August:
- The Massachusetts Data Privacy regulations apply to anyone who “stores” personal information, in addition to those who receive, maintain, process, or otherwise have access to personal information.
- Service Providers include anyone who “stores” personal information through their provision of services to anyone is subject to the regulations, in addition to those who receive, maintain, process, or otherwise are permitted access to personal information.
- The U.S. Postal Service is no longer expressly excluded from the definition of “Service Providers.”
- Service Provider agreements entered into before March 1, 2010 do not have to be amended to comply with these regulations until March 1, 2012.
The effective date is still March 1, 2010.
The regulations apply to personal information of Massachusetts residents. The reach of the regulations is not limited to businesses in Massachusetts.
References:
- Text of the Regulations: 201 CMR 17.00
- Redline showing the latest changes to the regulations
- Press Release – Patrick Administration’s Final Data Security Regulations Filed and Take Effect March 1, 2010; State Received Notice of More than 1 Million Instances of Exposure in Two Years
- Massachusetts Amends Strict Data Privacy Law (Again) – prior post
- Massachusetts Finally Finalizes Data Security Regulations – We Think by Kristen J. Mathews for the Privacy Law Blog
- Massachusetts Regulators Finalizing Information Security Regulations, Keep March 1, 2010 Deadline by Gabriel M. Helmer for Security, Privacy and The Law
If this applies to anyone who receives personal information or otherwise accesses personal information, what does this mean about online social networks? I can access a lot of personal information about my Massachusetts friends via facebook, etc. could a lawsuit be brought against an individual if their facebook is compromised and their friends data breached?
The definition of “personal information” is the key to your question. Facebook clearly collects lots of personal information, but not the “Personal Information” defined under Massachusetts law:
Personal information, a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Since Facebook does not collect SSNs or financial account info, I don’t think the kind of breach you mention is covered under the law.
Does it apply to law firms?
Absolutely!
If you have a Massachusetts client’s name and their social security number, then you are subject to this law. If you get a W-9 or tax filings or other filings through email and those filings have a Massachusetts client’s name and their social security number, then that means your laptop and blackberry need to be encrypted. Your document systems need to be secure and you need proper protocols in place.
Thank you.
Are other states following MA’s lead? If so, how do I find out which states?
We are starting to see a patchwork of state laws. So far, not seem incompatible. Since Mass. is the most detailed and the strictest most companies seem to be treating it as the standard.
Other states with data privacy laws include:
Nevada: https://www.compliancebuilding.com/2008/10/29/nevada-law-on-privacy-of-personal-information/
New Hampshire: https://www.compliancebuilding.com/2010/01/15/compliance-bits-and-pieces-for-january-15/
New York: https://www.compliancebuilding.com/2008/12/10/six-states-now-require-social-security-nu/
New Mexico: https://www.compliancebuilding.com/2008/12/10/six-states-now-require-social-security-nu/
Michigan: https://www.compliancebuilding.com/2008/12/10/six-states-now-require-social-security-nu/
Texas: https://www.compliancebuilding.com/2008/12/10/six-states-now-require-social-security-nu/
Hi. Just wondering if this law went into effect on March 1, 2010 or if it was extended again.
Thanks.