Massachusetts: Data Protection in the Financial Sector
1. Governing Texts
Massachusetts does not have a general data protection law specific to financial information, but financial information is not excluded from other broadly applicable laws and regulations, such as the Standards for the Protection of Personal Information of Residents of the Commonwealth under §17.00 of Title 201 of the Code of Massachusetts Regulation ('the Safeguards Regulation'). Financial institutions are also generally subject to the data protection requirements set forth in the federal Gramm-Leach-Bliley Act of 1999 ('GLBA'), including its Privacy Rule and Safeguards Rule. More generally, US laws applicable to the financial sector are in large part at the federal level - the GLBA being just one example. Thus, this Guidance Note should be read in conjunction with its federal equivalent, USA – Data Protection in the Financial Sector.
The Safeguards Regulation applies to financial institutions as well as to other types of entities (including out-of-state financial institutions and other entities) that handle personal information of Massachusetts residents, and imposes many requirements aimed at ensuring that such information is sufficiently protected. The Safeguards Regulation and other generally applicable Massachusetts data protection laws and regulations are discussed in depth in the Massachusetts – Data Protection Overview Guidance Note. Useful starting points for understanding and evaluating Safeguards Regulation compliance considerations include the 201 CMR 17.00 Compliance Checklist and the Frequently Asked Questions Regarding 201 CMR 17.00, each published by the Office of Consumer Affairs and Business Regulations ('OCABR').
The GLBA applies specifically to financial institutions, with a business' activities determining whether it qualifies as a financial institution. In relevant part, the GLBA serves to protect consumer 'non-public personal information,' which is broadly defined to include substantially all personally identifiable information that a financial institution collects about consumers. The substantive obligations the GLBA imposes includes providing a privacy notice to consumers, allowing consumers to opt-out of the disclosure of their non-public personal information to non-affiliated third parties in certain circumstances, abiding by limitations on the re-use and re-disclosure of non-public personal information, and implementing a program of administrative, technical, and physical safeguards to protect non-public personal information. A financial institutions' data protection obligations under the GLBA, including its Privacy and Safeguards Rule, are discussed in depth in the USA – GLBA Guidance Note.
1.2. Supervisory authorities
The Safeguards Regulation was adopted by the OCABR and is enforced by the Massachusetts Attorney General ('AG').
The GLBA is enforced by a number of federal regulatory agencies, as well as by state insurance regulators, including, in Massachusetts, the Division of Insurance ('DoI').
In addition, the Division of Banks ('DoB'), is the chartering authority and primary regulator for financial service providers in Massachusetts. The DoB's primary mission is to ensure a sound, competitive, and accessible financial services environment throughout the Commonwealth. The DoB which 'recommends all banks, credit unions, and non-depository institutions develop a comprehensive cybersecurity program' and a 'plan to achieve a level of cybersecurity preparedness that is appropriate' for each financial institution. See the Cybersecurity for the financial services industry handbook, available at DoB's website.
The OCABR oversees both the DoB and the DoI, among other agencies.
2. Personal and Financial Data Management
2.1. Legal basis for processing
See discussion of the GLBA in the USA – GLBA Guidance Note.
Mass. Gen. Laws ch. 175I: Insurance Information and Privacy Protection ('the Insurance Act'), enacted in 1991, requires insurance companies and insurance representatives to provide a written notice of information practices to all applicants or policyholders in connection with insurance transactions. The Insurance Act is based on a model regulation of the same name (Model Regulation 670) adopted by the National Association of Insurance Commissioners ('NAIC') in 1982.
Highlights of the Insurance Act include the following:
- the written privacy notice must state whether personal information may be collected from persons other than the individual proposed for coverage, the type of personal information that may be collected, the type of disclosure permitted by the statute, and the circumstances under which such disclosure may be made without prior authorisation, and a description of the rights of individuals established under the statute.
- A data subject has:
- the right to request access to his/her recorded personal information which is reasonably locatable and retrievable by the insurance company or representative;
- the right to request correction, amendment or deletion of his/her recorded personal information; and
- if proposed for coverage, the right to request and obtain the specific reason or reasons for an adverse underwriting decision.
- No opt-out notice is required to disclose personal information to an affiliate for marketing an insurance product or service. However, opt-out notice is required for disclosure of personal information to non-affiliates for marketing purposes.
- Personal information is defined as 'any individually identifiable information gathered in connection with an insurance transaction from which judgments can be made about an individual's character, habits, avocations, finances, occupation, general reputation, credit, health or any other personal characteristics.' It also includes an individual's name and address and 'medical-record information' but shall not include 'privileged information.' Privileged information is defined as 'any individually identifiable information that: relates to a claim for insurance benefits or a civil or criminal proceeding involving an individual…' (Section 2 of the Insurance Act).
In addition to the Insurance Act, licensees are subject to the GLBA's provisions relating to the protection of consumer non-public personal information as well as the Safeguards Regulation.
Notably, Massachusetts has enacted neither the Privacy of Consumer Financial and Health Information Regulation 672 ('Model Reg. 672') nor the Standards for Safeguarding Customer Information Model Regulation 673 ('Model Reg. 673'), both of which were adopted by the NAIC shortly after passage of the GLBA and have been enacted in over thirty states. In adopting these model laws, the NAIC intended that states would enact them to implement GLBA's privacy and security provisions with respect to persons engaged in providing insurance. In addition to establishing standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information, Model Reg. 673 provides greater privacy protections than GLBA in that it covers non-public personal financial information and non-public personal health information.
In addition to complying with the Insurance Act, Safeguards Regulations, and Massachusetts's general data breach notification law, banks, credit unions, and lenders engaged in insurance sales activities in Massachusetts must comply with Mass. Gen. Laws ch. 93I: Dispositions and Destruction of Records ('the Records Destruction Act') (Division of Insurance regulations, 211 CMR 142.08 (Customer Information and Record Keeping). Under the Records Destruction Act, when disposing of records containing personal information, persons must meet the following minimum standards (Section 2 of the Records Destruction Act):
"(a) paper documents containing personal information shall be either redacted, burned, pulverized or shredded so that personal data cannot practicably be read or reconstructed;
(b) electronic media and other non-paper media containing personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed."
Massachusetts has not enacted the Insurance Data Security Model Law adopted by the NAIC in 2018. The latter model law, enacted by a handful of states to date, including Connecticut, Delaware, and New Hampshire, is based on the Cybersecurity Requirements for Financial Services Companies, N.Y. Comp. Codes R. & Regs. tit.23 §500 effective 1 March 2017, you can read more about cybersecurity requirements in New York via our New York - NYDFS Cybersecurity Guidance Note. The purpose and intent of the model law is to establish standards for data security and standards for the investigation of and notification to the commissioner of insurance of a cybersecurity event involving persons licensed, authorised, or registered pursuant to the insurance laws of the state.
Electronic Funds Transfer
The Mass. Gen. Laws Ch. 167B: Electronic Branches and Electronic Fund Transfers ('the EFTA'), contains a number of provisions that regulate electronic funds transfers and financial institutions.
In this context, 'electronic funds transfer' is defined as follows (Section 1 of the EFTA):
any transfer of funds, other than a transaction originated by check, draft, or similar paper instrument, which is initiated through an electronic branch telephone instrument, or computer or magnetic tape or point-of-sale terminal so as to order, instruct or authorise a financial institution to debit or credit an account. Such term includes, but is not limited to, point-of-sale transfers, automated teller machine transactions, direct deposits or withdrawals of funds, and transfers initiated by telephone. Such term shall not include:
- a check guarantee or authorisation service which does not directly result in a debit or credit to a consumer's account;
- any transfer of funds, other than those processed by an automated clearinghouse, made by a financial institution on behalf of a consumer by means of a service that transfers funds held at either Federal Reserve banks or other depository institutions and which is not designed primarily to transfer funds on behalf of a consumer;
- any transfer, the primary purpose of which is the purchase or sale of securities or commodities regulated by the Securities and Exchange Commission or the Commodities Futures Trading Commission;
- any transfer under an agreement between a consumer and a financial institution which provides that the institution will initiate individual transfers without a specific request from the consumer
- between a consumer's accounts within the financial institution, such as a transfer from a checking account to a savings account;
- into a consumer's account by the financial institution, such as the crediting of interest to a savings account; provided that the financial institution shall be subject to clause of Section 7(2) and Sections 20 and 21 or (3) of the EFTA from a consumer's account to an account of the financial institution, such as a loan payment; provided that the financial institution shall be subject to clause (1) of Section 7(1) and Sections 20 and 21 of the EFTA; or
- any transfer of funds which is initiated by a telephone conversation between a consumer and an officer or employee of a financial institution that is not pursuant to a prearranged plan and under which periodic or recurring transfers are not contemplated.
'Financial institution' is defined as follows (Section 1 of the EFTA):
any person who (a) directly or indirectly holds an account belonging to a consumer or (b) issues an access device and agrees with a consumer to provide electronic fund transfer services; provided, however, that a person shall not include a co-operative bank, a credit union, a federal bank, a foreign bank, an out-of-state bank, an out-of-state federal bank, a savings bank or a trust company, as defined in Section 1 of of the EFTA, and a federal credit union and a foreign credit union, as defined in Section 1 of Ch.171 of Title XXII of the Mass. Gen. Laws.
Among the notable data protection provisions of the EFTA:
- a consumer's US social security number shall be used as or as part of a central information file number, personal identification number or primary financial account number, or to electronically identify the consumer to any financial institution or organisation, provided that it may be used to assist a financial institution or organisation in verifying the identity of a consumer (Section 14 of of the EFTA). An organisation here includes persons or entities who assist or provide services to financial institutions or merchants, and 'merchant' in turn includes persons or entities that provide a location for a point-of-sale terminal and contract with a financial institution or an approved organisation for electronic fund transfer services (Section 1 of the EFTA).
- a person may not disclose information regarding any account or electronic fund transfer to any person except to the following persons and/or in the following circumstances:
- the consumer making the transfer;
- any other person who is a party to an electronic funds transfer or is necessary to effectuate the transfer, but only to the extent that the information disclosed is necessary to effectuate the transfer;
- to a person authorised by law to have access to the records of the financial institution or organisation in the course of such person's official duties;
- pursuant to a court order or lawful subpoena;
- to communicate the terms and history of a specifically identified account to a consumer reporting agency as defined in Section 50 of the Mass. Gen. Laws ch. 93: Regulation of Trade and Certain Enterprises ('the Regulation of Trade and Certain Enterprises') of, or to any other person meeting the requirements of Section 51(3) of the Regulation of Trade and Certain Enterprises of:
- to any attorney or collection agent of the financial institution or organisation;
- to an employee or other auditor of the financial institution or organisation solely for the purpose of an official audit or accounting or to any other person for the purpose of servicing the account relationship, including preparation of the periodic statement of account, but only to the extent actually necessary;
- to an employee of the financial institution or organisation for the purpose of pursuing or disposing of a dispute or claim involving an account; or
- pursuant to the written authorisation of the consumer; provided, however, that such authorisation shall not remain in effect longer than 45 days (Section 16(a) of the EFTA).
- a person shall maintain reasonable procedures acceptable to the commissioner of banks to:
- prevent any disclosure, other than a disclosure permitted pursuant to the nine enumerated circumstances identified above, of information regarding an account or electronic funds transfer to any third party; and
- to make the person aware of the occurrence of any such unauthorised disclosure, and if a person becomes aware of such an unauthorised disclosure, it shall, not later than three days after it obtains such knowledge, disclose to the applicable consumer the fact of the occurrence of the unauthorised disclosure and the particulars thereof known to the person.
Credit card and check transactions
Massachusetts law prohibits persons or entities who accept credit cards for business transactions from writing, causing to be written, or requiring that a credit card holder write personal identification information (including, but not limited to, the card holder's address or telephone number), not required by the credit card issuer, on the credit card transaction form (Section 105(a) of the Regulation of Trade and Certain Enterprises). As interpreted by the Supreme Judicial Court of Massachusetts, in Tyler v. Michaels Stores, Inc., 464 Mass. 492 (2013), this prohibition extends to both electronic and paper credit card transaction forms, and a zip code constitutes personal identification information. But note that this prohibition does not prevent such persons or entities from requesting information necessary for shipping, delivery, or installation of purchased merchandise or services or for a warranty when such information is provided voluntarily by the cardholder (Section 105(a) of the Regulation of Trade and Certain Enterprises). There is a parallel, and more detailed prohibition, with respect to check transactions (Section 105(b) of the Regulation of Trade and Certain Enterprises). Violation of these prohibitions constitutes an unfair and deceptive trade practice under Massachusetts law (Section 105(d) of the Regulation of Trade and Certain Enterprises).
Massachusetts' general data breach notification law - Section 1 et seq. of Mass. Gen. Laws ch. 93H: Security Breaches ('the Data Breach Notification Law'), applies to financial institutions much as it does to any persons or entities within the scope of that law, which governs the unauthorised disclosure of certain types of personal information. Note, specifically, that the definition of personal information within the scope of the data breach notification law includes, among other things, a resident's first name and last name or first initial and last name in combination with a financial account number, or credit card number, with or without any required security code, access code, personal ID number, or password, that would permit access to a resident's financial account.
For additional information regarding Massachusetts' general data breach notification law, please see the Massachusetts – Data Breach Guidance Note.
Regulatory developments of potential interest to, but not necessarily specific to, the financial technology ('Fintech') space include the following:
- a 2014 opinion from the DoB, Massachusetts exempts bitcoin ATMs from the approval and registration requirements overseen by the DoB with respect to electronic branches (Selected Opinion 14-004 (12 May 2014)); and
- House Bill 2701 ('the Draft Bill'), which is under consideration in the Massachusetts Legislature since early 2019, that would establish a commission on automated decision-making, artificial intelligence, transparency, fairness, and individual rights. The Draft Bill is focused on public sector usage of artificial intelligence – i.e., use by any agency, constitutional office, department, board, commission, bureau, division or authority of the Commonwealth of Massachusetts, or of any political subdivision thereof, or of any authority established by the general court to serve a public purpose – but could still prove instructive for the private sector.
See discussion of the Safeguards Regulation in the Massachusetts – Data Protection Overview Guidance Note and of the GLBA in the USA – GLBA Guidance Note and the USA – Data Protection in the Financial Sector Guidance Note.
11. Additional Areas of Interest
Massachusetts Credit Reporting Act
The Massachusetts Fair Credit Reporting Act ('MFCRA'), §§50-68 of the Regulation of Trade and Certain Enterprises (is a state-level counterpart of, the federal Fair Credit Reporting Act of 1970 ('FCRA'), substantially aligning with the same.
It is worth noting that there are two MFCRA provisions that are excepted from certain pre-emption provisions in the FCRA.
First, while §1681t(b)(1)(F) of Title 15 of the United States Code generally pre-empts state laws with respect to any subject matter regulated under the FCRA's provisions regarding the responsibilities of furnishers of information to consumer reporting agencies, there is an express exception for §54A(a) of the MFCRA. That MFCRA provision provides that every person who furnishes information to a consumer reporting agency shall follow reasonable procedures to ensure that the information reported to a consumer reporting agency is accurate and complete and that no person may provide information to a consumer reporting agency if such person knows or has reasonable cause to believe such information is not accurate or complete. Whether the express exception for Section 54A(a) of the MFCRA should also be read as extending to private causes of action brought to enforce Section 54A(a) of the MFCRA under Section 54A(g) of the MFCRA, even though Section 54A(g) of the MFCRA is, unlike Section 54A(a) of the MFCRA, not expressly excepted from the FCRA pre-emption provision, has been the subject of a number of judicial opinions, with conflicting results. Compare Lance v. PNC Bank, N.A., 2015 WL 5437090, *4 (15 September 2015) (holding that claims brought under Section 54A(g) of the MFCRA are pre-empted), with Catanzaro v. Experian Info. Sols., Inc., 671 F. Supp. 2d 256, 261 (D. Mass. 2009) (holding that claims brought under Section 54A(g) of the MFCRA are not pre-empted).
Second, while 15 U.S.C. §1681t(b)(4) generally pre-empted state laws with respect to the frequency of free annual disclosures that nationwide consumer reporting agencies, there is an express exception for §59(d) to (e) of the MFCRA concerning the similar subject matter.
Peter Guffin Partner
Pierce Atwood LLP, Portland