Massachusetts has several laws relating to data security and cybersecurity. Covered organisations that own or license personal information, each as defined in the applicable laws will be subject to the obligations set forth under the applicable laws. This note will detail and analyze the most relevant laws, including:
- The Standards for the Protection of Personal information of Residents of the Commonwealth under §17 of Title 201 of the Massachusetts Code of Regulations ('Safeguards Regulation'): The Massachusetts' Office of Consumer Affairs and Business Regulation ('OCABR') in November 2009 promulgated the Safeguards Regulation, a regulation setting standards for the protection of personal information of Massachusetts residents. The Safeguards Regulation is the primary cybersecurity law in Massachusetts. It has some of the strictest state-level data security requirements in the United States, including requiring covered persons1 to implement a comprehensive written information security program ('WISP') with specific mandatory security measures.
- Agency Privacy Rules which was codified in Chapter 66A of Title X of the Massachusetts General Laws ('Mass. Gen. Laws ch. 66A') and associated rules. Executive agencies within the Massachusetts state government are not subject to the Safeguards Regulation but must follow (more stringent) Agency Privacy Rules.
- Data Breach Notification Law under §1 et seq. of Chapter 93H of Title XV of Part I of the Mass. Gen. Laws (the Data Breach Notification Law'): The Data Breach Notification Law requires persons who become aware of a data breach to notify the OCABAR and the Massachusetts Attorney General's ('AG') Office, in addition to potential obligations to notify affected individuals.
The Safeguards Regulation is supplemented by the Frequently Asked Questions Regarding 201 CMR 17.00 ('FAQs') and the 201 CMR 17.00 Compliance Checklist both created by OCABAR.
There are also a number of Massachusetts data privacy laws that contain certain security requirements. These include the Fair Information Practices Act under §11.00 of Title 940 of the CMR, which requires Massachusetts government agencies to implement certain safeguards (including a WISP); and the Massachusetts consumer protection law under Chapter 93A of Title XV of Part 1 of Mass. Gen. Laws., ('the Consumer Protection Act') which broadly prohibits unfair or deceptive practices and could be used to bring actions when consumers have been harmed due to the organisation' failure to implement reasonable security measures for personal information or make accurate statements regarding the security of a consumer's personal information.
Please note that this Guidance Note refers to state-wide legislation for Massachusetts. In addition to state requirements outlined here, please note that federal cybersecurity requirements may be applicable under federal laws such as the Gramm-Leach-Bliley Act of 1999 ('GLBA') and the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'). For more information, please refer to the following OneTrust DataGuidance Guidance Notes:
- USA Federal - Cybersecurity;
- USA - GLBA Safeguards Rule – Cybersecurity;
- USA - NIST – Cybersecurity; and
- USA - HIPAA - Cybersecurity.
The Safeguards Regulation is not specific to any one business sector, nor is it limited to businesses or organisations based in or doing business in Massachusetts. Rather, it generally applies to 'persons' who own or license personal Information about a resident of the Commonwealth of Massachusetts. This means the person 'owns or licenses, receives, stores, maintains, processes, or otherwise has access to personal Information in connection with the provision of goods or services or in connection with employment.'
The Safeguards Regulation requires such persons to meet minimum standards to safeguard personal information. The objectives of the Safeguards Regulation are to ensure customer information is secure and confidential, protect against anticipated threats or hazards to the security and confidentiality of customer information in a manner consistent with industry standards, and protect against unauthorised access to or use of such information in a manner that may substantially harm or inconvenience any consumer.
The Safeguards Regulation defines personal information as a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:
- social security number;
- driver's license number or state-issued identification card number; or
- financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account.
However, personal information under the Safeguards Regulation does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.
3. GENERAL REQUIREMENTS
Personal Information Safeguards
To comply with the Safeguards Regulation, every person who owns or licenses personal information about a resident of the Commonwealth of Massachusetts must have a WISP, which must be written in one or more readily accessible parts and must define and address administrative, technical, and physical safeguards. These safeguards must be appropriate for the person as determined by the below factors:
- the size, scope, and type of business of the person;
- the resources available to the person;
- the amount of stored personal information; and
- the security and confidentiality requirements of the person.
The safeguards in the WISP must be consistent with the safeguards contained in any other applicable state or federal regulation regarding the protection of personal information (such as HIPAA (covered entities and those who provide services on behalf of such entities) or the GLBA or other state requirements such as the New York State Department of Financial Services ('NYDFS') Cybersecurity Requirements for Financial Services Companies, Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York ('the NYDFS Cybersecurity Regulation' or '23 NYCRR 500'), applicable to insurance companies and other financial institutions).
While the adequacy of a particular WISP depends on the factors listed above, there are some general guidelines. For example, a large multinational enterprise that stores a significant amount of sensitive personal information may be expected to establish and maintain highly defined, cross-functional governance structures, role-based training, administrative controls, and invest in regular external third party risk assessments or industry-leading technical measures around access controls, encryption, vulnerability and patch management, for example, while a small local business that collects minimal personal information may be expected to invest in less rigorous measures.
In any event, the Safeguards Regulation imposes specific requirements for every WISP, including without limitation, to:
- designate one or more employees to maintain the WISP;
- identify and assess reasonably foreseeable internal and external risks to the security, confidentiality and/or integrity of any electronic, paper or other records containing personal information, and implement safeguards to limit those risks, including:
- ongoing employee training (including temporary and contract employees);
- employee compliance with the policies and procedures; and
- means for detecting and preventing security system failures;
While there is no statutory minimum employee training requirement, the Safeguards Regulation requires employers to ensure that their employees who have access to personal information know their obligations under Safeguards Regulation — inadequately trained employees can jeopardise the safety of personal information. Thus, organisations should ensure and verify that employees receive training on the importance of protecting personal information, using computer systems properly, and the elements of the Safeguards Regulation. Organisations should also consider requiring employees to contractually agree to comply with WISP policies and/or requiring universal compliance with the WISP in employment contracts. In addition, if an organisation suffers a data breach or other incident, the organisation should update employee training with any lessons learned and consider offering additional training.
- develop security policies for employees who store, access, and/or transport records containing personal information outside of the business premises;
- impose disciplinary measures when the WISP is breached;
- prevent terminated employees from accessing records containing personal information;
- take reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal information consistent with the Safeguards Regulation and any applicable federal regulations, and contractually require such service providers to implement and maintain appropriate security measures for personal information;
- create reasonable physical restrictions on accessing records containing personal information, and the storage of such records in locked facilities, storage areas, or containers. Any physical safeguards must be detailed in the WISP. The FAQs suggest that even small businesses with minimal personal information should keep such personal information in a locked storage cabinet in a room with a locked door;
- monitor regularly to ensure that the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorised use of personal information, and updating information safeguards as necessary;
- review the scope of security measures annually, or any time there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information; and
- document responsive actions taken in connection with any incidents involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to change business practices relating to the protection of personal information.
Computer System Security Safeguards
In addition, every person that electronically stores or transmits personal information must include in its WISP the establishment and maintenance of a security system covering its computers (including any wireless system), that, at a minimum, and to the extent technically feasible2 contains:
- secure user authentication protocols, including:
- controlling user IDs and other identifiers;
- implementing a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
- controlling data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
- restricting access to active users and active user accounts only; and
- blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system.
- secure access control measures that:
- restrict access to records and files containing personal information to those who need such information to perform their job duties; and
- assign unique identifications plus passwords (i.e., not default passwords) to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls.
- encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly;
- reasonable monitoring of systems, for unauthorised use of or access to personal information;
- encryption of all personal information stored on laptops or other portable devices;
- reasonably up-to-date firewall protection and operating system security patches for files containing personal information on a system that is connected to the Internet, which are reasonably designed to maintain the integrity of the personal information;
- reasonably up-to-date versions of system security agent software that include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis; and
- education and training of employees on the proper use of the computer security system and the importance of personal information security.
Under the Safeguards Regulation, 'encryption' means transforming data into an unreadable form in which meaning cannot be assigned without the use of a confidential process or key (201 Code Mass. Regs. 17.02). Significantly, password protection that does not alter the condition of the data is not encryption. The definition of encryption in the Safeguards Regulation is intended to be technology neutral and should take into account encryption technology developments.
The Data Breach Notification Law applies to any person, legal entity, or agency that owns or licenses a Massachusetts resident's personal information (referred to here as a 'covered person'). The Data Breach Notification Law also imposes certain obligations on persons, legal entities, and agencies that maintain or store Massachusetts residents' personal information that they do not own or license.
The Data Breach Notification Law provides that covered persons that maintain and comply with breach response procedures under federal laws, rules, regulations, guidance, or guidelines will be deemed in compliance with the statute.
3.2.1. In case of a cybersecurity incident, is there an obligation to notify the regulatory authority?
Yes. Under the Data Breach Notification law, a covered person must notify the OCABAR and the AG when it knows or has reason to know of:
- a breach of security (i.e., an unauthorised acquisition or use of unencrypted data, or encrypted electronic data and the confidential process or key that (a) is capable of compromising the security, confidentiality, or integrity of personal information and (b) creates a substantial risk of identity theft or fraud against a Massachusetts resident); or
- an instance in which the personal information was used for an unauthorised purpose or acquired or used by an unauthorised person.
A covered person must submit a report even if the incident was suffered by another related entity, such as a third-party vendor.
3.2.2. If yes, please describe the process, timeline, and any other formality that needs to be adhered to.
The notice made to the OCABAR and the AG must include:
- the nature of the breach of security;
- the number of Massachusetts residents affected;
- the name and address and type of person or agency that experienced the breach of security;
- the name and title of the person reporting the breach of security and his/her relationship to the person or agency that experienced the breach of security;
- who is responsible for the breach of security, if known;
- the type of personal information compromised;
- whether the person or agency maintains a WISP; and
- any steps the person or agency has taken (or plans to take) related to the breach of security, including specifically whether the person or agency has updated the WISP.
The covered person must also include, with the notice, a sample of the resident notification. If social security numbers are affected by the breach of security, the person or agency also must file a report (as part of or separate from the notice to the state regulator) certifying that its third-party credit monitoring services comply with the requirements of §3A of Mass. Gen. Laws ch. 93H.
3.2.3. In case of a cybersecurity incident, are there other subjects that need to be notified?
The covered person must additionally notify any affected Massachusetts residents on a rolling basis. The notice to residents must include:
- the right to obtain a police report;
- how to accomplish a free security freeze and the necessary information to provide when requesting the freeze;
- if the breach of security involves Social Security numbers, the information necessary for the resident to learn how to enroll in the free third-party credit monitoring services;
- detail of any mitigation services to be provided; and
- if applicable, the name of the parent or subsidiary organisations of the covered person sending the notice to residents.
The Data Breach Notification Law does not require covered persons to include in the notice the nature of the breach or the number of Massachusetts residents affected.
3.2.4. Please outline any other bodies that might be notified.
A Massachusetts agency that experiences a breach of security also must notify the Executive Office Of Technology Services and Security and the Division of Public Records in the Office of the Secretary of the Commonwealth.
For more information please refer to the following OneTrust DataGuidance Guidance Note Massachusetts - Data Breach.
The Safeguards Regulation require a person to designate one or more employees responsible for the WISP.
Massachusetts has not adopted the National Association of Insurance Commissioners ('NAIC') NAIC Insurance Data Security Model Law (#668) but entities in the insurance sector are specifically required to comply with the Safeguards Regulation. See Massachusetts Division of Insurance Bulletin No. 2010-02 (1 February 2010).
Consumer: Not applicable.
Cybersecurity event: Not applicable.
Information Security Program: Not applicable.
Information System: Not applicable.
Licensee: Not applicable.
Non-public Information: Not applicable.
4.2. Information security program implementation
4.3. Cybersecurity incidents
4.4. Powers / penalties
Apart from the attorney general's role in the direct enforcement of HIPAA requirements, including as set forth in the HIPAA Security Rule, Massachusetts does not have cybersecurity law requirements specific to the health sector. In addition, entities in the health sector and health information are not excluded from a number of other broadly applicable laws, such as the Safeguards Regulation.
5.2. Security program / framework
For more information on federal cybersecurity obligations in the health sector please refer to the following OneTrust DataGuidance Guidance Note USA - HIPAA - Cybersecurity.
Massachusetts does not have cybersecurity law requirements specific to the financial sector, but entities in the financial sector and financial information are not excluded from a number of other broadly applicable laws, such as the Safeguards Regulation.
6.2. Security program / framework
For more information on federal cybersecurity obligations in the final sector please refer to the following OneTrust DataGuidance Guidance Note USA - GLBA Safeguards Rule – Cybersecurity.
The Safeguards Regulation is enforced by the AG can enforce Safeguards Regulation under §4 Mass. Gen. Laws Chapter 93A. The AG may seek injunctive relief and civil damages to be paid to the Commonwealth of Massachusetts of up to an amount not exceeding $5,000 per violation (plus reasonable litigation costs). The AG can also request a copy of an organisation's WISP. The AG takes into account the size and scope of a person's business, the resources available to them, the amount of data they store, and the need for confidentiality, when assessing non-compliance with the Safeguards Regulation.
The Massachusetts AG has brought a number of enforcement actions relating to data breaches, including participating in multistate actions. Typically, the actions have alleged that organisations violated the Safeguards Regulation, the Massachusetts Data Breach Notification Law, the Massachusetts Consumer Protection Act, and/or HIPAA. Past enforcement actions have included allegations about the organisation's failure to follow their WISPs, properly oversee third-party service providers, or implement sufficient security measures to protect personal information. Many enforcement actions result in settlement agreements. For example:
- South Shore Hospital agreed to pay $750,000 to resolve allegations that it failed to protect the personal information of more than 800,000 patients, in relation to a data breach several years earlier. The hospital shipped unencrypted back-up computer tapes containing this information (including names, social security Numbers, financial account numbers, and medical diagnoses) to a third-party service provider to be erased. Only one of the three boxes containing the computer tapes arrived;
- The AG participated in multistate settlements with The Home Depot, Inc. ($525,000) and Anthem, Inc. ($1.4 million) regarding 2014 data breaches and Equifax Inc. regarding a 2017 data breach that compromised personal information nationwide, including nearly three million Massachusetts residents ($18 million);
- The Women and Infants Hospital in Rhode Island agreed to pay US$150,000 and take specific compliance steps to resolve allegations that it failed to secure and report the loss of more than 12,000 Massachusetts residents' personal information and protected health information on unencrypted backup tapes;
- A service provider, CoPilot Provider Support Services Inc., agreed to pay $120,000 and update its security policies following allegations that the company failed to provide timely notice of a data breach that affected nearly 2,000 Massachusetts residents.
8. OTHER AREAS OF INTEREST
While the Safeguards Regulation does not apply to any agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof, the Agency Privacy Rules apply to these executive agencies to the extent that they hold personal data. Personal Data is defined in Chapter 66A of Title X of Mas. Gen. Laws as any information concerning an individual that, because of name, identifying number, mark or description, can be readily associated with a particular individual; provided, however, that such information is not contained in a public record and shall not include intelligence information, evaluative information, or criminal offender record information as defined in Chapter 66A of Title X of Mas. Gen. Laws.
An agency 'holds' personal data if they collect, use, maintain, or disseminate personal data. The Agency Privacy Rules also apply to any person or entity that contracts or has an arrangement with an agency whereby it holds personal data as part or as a result of performing a governmental or public function or purpose, only with respect to personal data it holds under the contract or arrangement with an agency. Such agencies and third parties who hold personal data on behalf of the agency are referred to as 'holders.'
Under the Agency Privacy Rules, holders must:
- have a designated information officer who is responsible for the holder's personal data system (i.e., a system of records containing personal data, which system is organised such that the data is retrievable by use of the identity of the data subject) maintained by the Holder;
- inform each of its employees with any responsibility or function involving the design, development, operation, or maintenance of any personal data system, or use of any personal data contained in such system, of applicable data security laws in Massachusetts;
- not collect or maintain more personal data than is reasonably necessary to carry out the agency's statutory functions;
- take reasonable precautions to protect personal data from the dangers of fire, identity theft, flood, natural disaster, or other physical threat;
- maintain personal Data with the accuracy, completeness, timeliness, pertinence, and relevance as is necessary to assure a fair determination of a data subject's qualifications, character, rights, opportunities, or benefits when such determinations are based on such data;
- keep records of any third-party access to or use of personal data;
- file a report with the Secretary of the Commonwealth describing the personal data system any time the personal data system is established, terminated, or substantially changed.
A holder may contract with a third party to store or maintain personal data on its behalf, but that will not relieve the holder of its obligations under the Agency Privacy Rules.
In addition, each holder of personal Information/data is restricted from sharing or providing third-party access to personal data outside the following circumstances:
- data required in response to a compulsory legal process. No notice is required to the data subject if a court orders that the data subject's knowledge would prejudice the legal proceedings;
- data required by any federal, state, or local governmental agency for criminal or civil law enforcement;
- data requests from the United States Census Bureau;
- data required by a court of competent jurisdiction;
- medical or psychiatric data requested by a physician treating the data subject when a medical or psychiatric emergency exists and the physician is unable to obtain patient consent; or
- data requests from the AG when a data subject files a complaint against an executive agency and the agency holds personal data of the data subject.
1. Defined as 'a natural person, corporation, association, partnership, or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.'
2. Technically feasible' means that if there is a reasonable means through technology to accomplish a required result, the organization must use it (see FAQs).