HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

This month saw the launch of the ICO's first code of practice on online privacy, following extensive consultation earlier in the year. The code provides good practice advice for organisations providing goods and services using the web and explains how the Data Protection Act applies to the collection and use of personal data online.

The code is divided into the following 7 chapters, and also includes a helpful annex and glossary of terms, for those less familiar with online jargon. You can read on to see our summarised highlights of the code, but we also recommend reading the full guidance document on the ICO website, through the link provided above. It should be of particular interest to businesses engaged in behavioural advertising, online sales and cloud computing.

 

• Email This
• Print
• Share Link

On June 24, the FTC announced a proposed consent order with social networking service provider Twitter, Inc.  The Twitter investigation is consistent with the FTC’s longstanding interest in policing the data privacy and security practices of social networking services, dating back to the FTC’s first online privacy case against Geocities in 1998. 

Within the general framework of FTC information security jurisprudence, this investigation reflects three noteworthy developments.  First, the investigation demonstrates the broad reach of FTC Act § 5 concerning data security, extending well beyond protection of the kinds of data traditionally considered sensitive (e.g., Social Security Numbers and payment card numbers).  Second, the complaint introduces security expectations, concerning controlling administrator-level access to information systems, that had not been previously expressed by the FTC.  Third, this enforcement action appears to show that the FTC considers the protection of personal information critical at all stages of the business lifecycle, from start-up to wind-down.

A.  Data Security Obligations Are Not Limited to Sensitive Personal Information

The FTC alleges that lapses in Twitter’s data security practices resulted in unauthorized person’s gaining access to user accounts containing mobile telephone numbers, email addresses, and IP addresses.  Unlike prior data security investigations, there is no allegation that unauthorized persons gained access to the traditionally identified forms of sensitive personal information, such as SSNs, financial account numbers, government ID numbers, or consumer reports.  Nor is there any allegation that the affected information revealed sensitive personal characteristics (e.g., medical conditions) either directly or as revealed by purchases.  There may be a number of explanations for this departure from past precedent. 

1.  Consumer Expectations Influence Security Obligations

All the data types affected by the security incidents suffered by Twitter were stored in areas that were allegedly described by Twitter as non-public.  Hence, the FTC concerns appear to stem in part from the fact that consumers submitted such information to Twitter under the impression that Twitter would prevent unauthorized sharing.  Accordingly, consumer expectations, rather than any fixed list of data elements, may dictate the steps that a company is expected to take to protect such data.  Such a standard may have far reaching implications for websites, particularly those that encourage visitors to build profiles that are not intended for public display, including social networking services that offer users the option of maintaining “private” (or otherwise limited access) profiles. 

2.  Fraud Prevention

Among the consequences of Twitter’s alleged failure to secure its systems was the misuse of existing Twitter accounts to transmit fraudulent messages.  The FTC does not discuss the public policy concerns posed by the transmission of fraudulent messages in any great detail.  Nonetheless, concerns likely include reputational damage, particularly for public figures and businesses (e.g., the Twitter incident resulted in fraudulent tweets transmitted from the accounts of President Barack Obama and Fox News).  In addition, recent press reports indicate that criminals have used compromised social network accounts to attack the account holder’s friends list with messages containing malicious software or fraudulent pleas for money. 

B.  Securing Administrator Level System Access

The attacks perpetrated against Twitter allegedly exploited weaknesses in the security measures used to limit administrator level access.  Because administrator level privileges allow users to manipulate the settings and content of individual user accounts, the attackers were then able to take control of numerous accounts to view private information and engage in fraudulent activity. 

The specific security lapses cited by the FTC included the failure to:

• establish or enforce strong password policies;
• prevent the storage of administrative passwords in plaintext in employees’ private email accounts;
• suspend or disable administrative accounts after a number of failed login attempts;
• provide a separate login page for administrative access the address of which was made known only to authorized users;
• enforce periodic changes of administrative passwords (e.g., 90-day expiration);
• restrict access to administrative controls based on employees’ job functions; and
• impose other restrictions on administrative access, such as by restricting access to specified IP addresses.

• Email This
• Print
• Share Link

On Friday, May 7, 2010, the Office for Civil Rights (“OCR”) issued guidance related to the HIPAA Security Rule’s risk analysis requirement.  Under HITECH, OCR is responsible for issuing annual guidance on provisions of the HIPAA Security Rule.  This guidance is the first in a series of documents aimed at helping covered entities and business associates implement effective and appropriate administrative, physical, and technical security safeguards. 

This guidance document is generally consistent with the materials provided by the Centers for Medicare and Medicaid Services (“CMS”) prior to the introduction of HITECH.  For example, like the recently released OCR guidance, CMS historically directed covered entities to refer to the National Institute of Standards and Technology’s Special Publication 800-66 Rev.1, An Introductory Resource Guide for Implementing the HIPAA Security Rule (October 2008) (“NIST 800-66”).  NIST 800-66 frequently directs readers to consult NIST SP 800-30, Risk Management Guide for Information Technology Systems (July 2002), which is also quoted extensively in the recently released OCR guidance.  Moreover, the OCR guidance is quite similar to the HIPAA Security Series, Paper 6: Basics of Risk Analysis and Risk Management which was most recently revised by CMS in March 2007. 

OCR encourages the public to offer feedback on the risk analysis guidance. Comments can be submitted to OCR at OCRPrivacy@hhs.gov

• Email This
• Print
• Share Link

The U.S. Department of Defense (DOD) has issued an advanced notice of proposed rulemaking regarding amendments to the Defense Federal Acquisition Regulation Supplement (DFARS) that would add new data protection requirements for unclassified DOD information used or handled by contractors. See 75 F.R. 9563 (March 3, 2010). The proposed amendments would create a two-tiered system of data security requirements, as well as an obligation to notify the DOD of security incidents.

The two tiers of data security requirements are described as “basic safeguards” and “enhanced safeguards,” both of which require “adequate security.” Under the proposed rules, “adequate security” would mean: “protection measures … commensurate with the risks (i.e., consequences and their probability) of loss, misuse, or unauthorized access to or modification of information.” 75 F.R. at 9566.

Basic safeguards are required for any unclassified DOD information. The required protections would include:

§         prohibiting the posting of any DOD information on websites unless they are restricted to users that provide user ID/password, digital certificate, or similar credentials;

§         using the “best level of security and privacy available” for transmissions of any DOD information transmitted via email, text messaging, and similar technologies;

§         transmitting any DOD information via telephone or fax only when reasonably assured that access is limited to authorized recipients;

§         protection of all DOD information by at least one physical (e.g., locked container) or electronic (e.g., user/password restriction) barrier;

§         sanitization of media in accordance with NIST protocols prior to disposal;

§         implementation of regularly updated malware protection and software patches/upgrades;

§         limiting sharing of any DOD information to third parties that have a “need to know;” and

§         contractually obligating all subcontractors to abide by the proposed regulations. 

See id.

Enhanced safeguards apply to unclassified DOD information that meets one or more of the following criteria:

§         Critical Program Information (as defined in DOD Instruction 5200.39);

§         data subject to export controls under International Trafficking in Arms Regulations and Export Administration Regulations;

§         data designated for withholding under the FOIA program (as described in DOD Directive 5400.07);

§         data bearing current or prior controlled access/dissemination designations (e.g., For Official Use Only, Limited Distribution, and Proprietary);

§         technical data, software, or other information subject to DOD Directive 5230.24; and

§         personally identifiable information, including (but not limited to) data protected by the Privacy Act and HIPAA. 

See 75 F.R. at 9566 - 67.

In addition to the basic safeguards listed above, contractors would be obligated to implement the following measures for data subject to enhanced safeguard requirements:

§         reporting any “cyber intrusion incident” to DOD, which includes any event involving unauthorized access to DOD information or an “advanced persistent threat” (meaning a “proficient, patient, determined, and capable adversary”);

§         cooperate with and provide support for DOD investigations of reported cyber intrusion incidents;

§         encryption when transmitting DOD information across wireless networks (by either encrypting the wireless connection itself or the individual files transmitted across such connections);

§         encryption of DOD information stored on laptops, mobile devices, and removable media;

§         monitoring and control of network traffic through mechanisms such as firewalls and or intrusion detection/prevention systems; and

§         implementation of an information security program consistent with NIST Special Publication 800-53.

See id.

With regard to the “cyber intrusion incident” reporting requirements, “advanced persistent threats” appear to be reportable without regard to whether such a threat actually results in unauthorized access to DOD information. Attempted advanced persistent threats may be reportable events. In addition, covered contractors may be obligated to comply with all reporting, support, and cooperation requirements for incidents reported by their subcontractors.

With regard to cross-compliance with HIPAA, it appears that entities which are already compliant with the HIPAA Security Rule would not be required to make substantial changes to their existing safeguards for protected health information with the exception of adding procedures for reporting “cyber intrusion incidents” to, and cooperating with resulting investigations by, DOD.

The public comment period ends on May 3, 2010. DOD has scheduled a public meeting to discuss the proposed regulations on April 22, 2010 from 8:00 AM to 4:00 PM (EST). Attendees are expected to register two weeks in advance (thus, by April 8, 2010).

• Email This
• Print
• Share Link

The Federal Communications Commission released its long-awaited National Broadband Plan today, providing an aggressive roadmap for advancing affordable broadband deployment and adoption; stimulating economic growth; and boosting the nation's capabilities in education, healthcare, homeland security, and other areas.  The Plan also appears to confirm that the FCC is looking to take an expanded role in privacy-related consumer protection issues.

In the Plan, the FCC discusses a number of broadband privacy and data security issues focused on the protection of and consumer control over personal information.  For example, the FCC states 

 

[t]he collection, aggregation and analysis of personal information are common threads among, and enablers of, many application-related innovations...

and the Plan notes the value of services such as customized suggestions for movie rentals or books and more targeted and relevant advertising.  It cautions, however

many users are increasingly concerned about their lack of control over sensitive personal data.

The FCC then remarks:  

Innovation will suffer if a lack of trust exists between users and the entities with which they interact over the Internet.  Policies therefore must reflect consumers’ desire to protect sensitive data and to control dissemination and use of what has become essentially their “digital identity.”  Ensuring customer control of personal data and digital profiles can help address privacy concerns and foster innovation.

The FCC also makes several broadband privacy and data security recommendations in the Plan, including:

• Encouraging Congress and the Federal Trade Commission (as well as the FCC) to clarify the relationship between users and their online profiles, including disclosure and consent requirements and data collection, sharing, storage, safeguarding, and accountability responsibilities;

• Suggesting that Congress consider helping spur the development of trusted "identity providers" that can help consumers maximize the privacy and security of their data;

• Having the FTC and FCC jointly develop principles to require that customers provide informed consent before broadband service providers share certain information with third parties (including account and usage information and other personally identifiable information); and

• Prompting the federal government to put additional resources into combating identity theft and fraud and enhancing consumer online security.

In addition, the Plan includes several privacy and data security recommendations in the smart grid and cybersecurity areas, including a recommendation that states require utilities to "provide consumers access to, and control of, their own digital energy information, including real-time information from smart meters and historical consumption, price and bill data over the Internet."  If states fail to do so within 18 months, the Plan recommends that Congress consider national legislation.

• Email This
• Print
• Share Link

The Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts, 201 CMR 17.00 (“Massachusetts Standards”), include a broad range of administrative, physical, and technical obligations.  Nevertheless, there are certain common business processes that may pose unique and substantial compliance challenges.  Accordingly, organizations subject to these regulations should give very careful consideration to their practices in the following high risk areas. 

Email

First, the obligation to encrypt all sensitive personal information transmitted over public networks will have a substantial impact on the use of email to collect and transmit such data.  While there is generally accepted technology available to encrypt email and/or or files attached to emails, implementing such tools and properly training the workforce to use them may require significant expense.  (It should also be noted that this would apply to webpage forms that populate and transmit emails, as well as the use of Instant Messaging, Text Messaging, or similar technologies to transmit personal information.)

Organizations that exchange personal information directly with consumers may find the transition particularly difficult.  Many consumers may be ill-equipped to deal with encrypted messages and attachments.  Moreover, the encryption/decryption process may create negative user experiences that undermine customer goodwill.  While decrypting messages and attachments may be quite straightforward for the technology savvy consumer, it is likely to be confusing or frustrating for many others.  Similar complications may arise when dealing with small to mid-sized third party service providers that have limited technological sophistication.

In light of the foregoing, many organizations may consider alternative communications protocols, such as shifting email-dependent business processes to web browser-based processes that can be secured in a more efficient and centralized manner. Web pages served over secure HTTP or secure FTP could replace most present-day email communications involving personal information. 

Portable Devices

The Massachusetts Standards require the encryption of sensitive personal information stored on portable devices.  By the Massachusetts government’s own admission, there are no generally accepted encryption tools for use on many commonly-used portable devices, such as smartphones and PDAs.  As a result, enterprises subject to the Massachusetts Standards should carefully consider when it is necessary and appropriate, if ever, to store sensitive personal information on portable devices.  Alternatives, such as truncation of sensitive data (e.g., SSNs and financial account numbers) and use of secure online protocols (e.g., secure HTTP or secure FTP) for transmitting data to third parties, should be thoroughly contemplated.  In those instances when such storage is both necessary and appropriate, procedures, including workforce training, should be developed to ensure that the data remains secure during storage.

There is a certain level of overlap with the email concerns discussed above because a likely source of personal information on smartphones is the email messages that may accessed through the devices.  Since encryption of these messages may not be practicable, organizations may have further incentive to suspend the exchange of personal information via email in favor of browser-based protocols.  

Third Party Relationships

The Massachusetts Standards require enterprises to “select and retain” third party service providers that will provide safeguards consistent with the other requirements of the regulations, as well as contractually obligate third party service providers to maintain such safeguards.  The “select and retain” provision is fairly vague, affording the Massachusetts government (and courts) the opportunity to interpret it in ways that could introduce substantial obligations.  This provision appears to impose obligations to engage in pre-contract evaluation and post-execution monitoring of the security practices of third parties. 

Prior iterations of the Massachusetts Standards included an explicit requirement to obtain written certification of compliance from third party service providers.  Since that language has been removed, the regulations no longer provide concrete guidance on what steps should be taken to “select and retain” appropriate third party service providers.  The resulting ambiguity is a problem for both data owners and their prospective service providers.  Service providers are reluctant to reveal detailed information about their security policies and procedures because such information may be misused at significant cost to the service provider.  On the other hand, data owners are limited in their ability to rely upon imprecise representations of robust security measures from service providers because such representations appear to be self-serving. 

Accordingly, it is important for enterprises in both positions (as data owners and/or service providers) to thoroughly analyze the most effective and appropriate way to ensure that their contractual relationships satisfy the Massachusetts Standards.  Among the potential alternatives is the retention of reputable independent auditors to analyze service provider security practices and generate compliance reports for distribution to business partners (as is common for third parties that provide services subject to the Sarbanes Oxley Act). 

• Email This
• Print
• Share Link

 A new era of information security law may well start as the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts, 201 CMR 17.00 (“Massachusetts Standards”) go into effect today, March 1, 2010.  All institutions collecting sensitive personal information (e.g., a name combined with a Social Security Number, state-issued identification number, or financial account number) from Massachusetts residents should pay careful attention to the requirements and enforcement of these regulations.  However, the implications beyond those entities that operate in Massachusetts may be longstanding as well.

Information Security Law Trend: From Generalities to Specificity

While information security statutes and regulations are fairly new developments in United States law, the previous trend reflected a bifurcated approach by federal and state authorities.  On the one hand, were somewhat ambiguous reasonableness standards imposed by states such as California and Texas.  On the other hand, were detailed regulations imposed upon industry sectors commonly involved in the handling of sensitive personal information, such as the HIPAA Security Rule, GLB Safeguards Rule, and FCRA/FACTA Disposal Rule. 

As press reports of significant breaches of sensitive personal information continued to mount, state lawmakers have taken an increasingly aggressive approach to regulation. Starting with the rather quiet passage of the Oregon Identity Theft Protection Act and more widely noted passage of the Minnesota Plastic Card Security Act, both in 2007, several states have attempted to adopt detailed information security obligations applicable to all entities that handle sensitive personal information.  Accordingly, Nevada has recently revised its data protection statute, which includes an obligation that businesses that handle credit card transactions must comply with the Payment Card Industry Data Security Standard (similar to the Minnesota Plastic Card Security Act).  Meanwhile, detailed information security regulations remain under development in New Jersey.

A New Revolution Starts in Massachusetts

The Massachusetts Standards stand as a unique development in this lineage because they are notably more comprehensive than the reasonable security statutes implemented in many states and expressly disclaim any exemptions based upon compliance with other regulatory schemes (whether self regulatory such as PCI DSS or federal such as HIPAA and GLB).  In fact, the Massachusetts Standards include a number of technical requirements that are not spelled out in similar detail in the federal sector-specific regulations.  For example, the Massachusetts Standards expressly require the implementation of network firewalls and regularly scheduled patching of operating systems, obligations that are not expressed in either the HIPAA Security Rule or the GLB Safeguards Rule. 

While the Commonwealth’s enforcement agenda remains to be seen, particularly with respect to out-of-state organizations, the regulations are likely to have a distinct impact on many entities. The wide scope of the regulations themselves (covering many administrative, physical, and technical security areas) and the entities arguably subject to the regulations (any entity, regardless of size, that collects sensitive personal information from Massachusetts residents), will compel a significant number of organizations to consider their compliance alternatives.

Although the Massachusetts Standards are designed to scale to the unique circumstances of each entity subject to the obligations (a point reemphasized in revisions issued on August 17, 2009), it is yet to be seen how the enforcement authorities will apply this scalability in practice.  Some of the provisions introduced in an attempt to increase the flexibility of the regulations have inadvertently led to new ambiguities.  For instance, the technical security requirements are only necessary to the degree that they are “technically feasible.”  However, the definition of “technically feasible” (“if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used”) provides limited practical guidance.  Regardless of their ultimate decisions, entities will be assuming a certain level of risk with any compliance decision until the Massachusetts authorities establish further guidance, either through supplemental documents or enforcement actions.

All that being said, many elements of the Massachusetts Standards are more evolutionary than revolutionary, but their impact may remain substantial.  For example, the Massachusetts Office of Consumer Affairs and Business Regulation has stated in its official Frequently Asked Questions that all backup media must be encrypted prospectively.  While encryption has been a solution of choice for legislators and regulators for sometime now, it has historically been encouraged as a form of safe harbor for data breach notification requirements (in state law and recently issued federal health data breach notification regulations).  However, the Massachusetts Standards join the Nevada encryption law in mandating the encryption of sensitive personal information both during transmission and during storage on portable devices and media.  The financial and opportunity costs of such wide ranging obligations to encrypt data may prove substantial and enterprises should be planning accordingly.

• Email This
• Print
• Share Link

The Federal Trade Commission has warned one hundred businesses and organizations that peer-to-peer software (typically used by employees to download and share copyrighted music, software and movie files over the Internet) is exposing information on customers and employees, including health and financial data, Social Security numbers and driver's license numbers.

In a release entitled "Widespread Data Breached Uncovered by FTC Probe" the FTC warned that the presence of privacy-violating peer-to-peer software on an organization's network may represent a violation of the security obligations under a variety of federal statutes.

In one sample letter of the type sent to one of the 100 entities referenced in the FTC release the Commission wrote:

We have not determined whether your company is violating laws enforced by the Commission. However, the FTC is urging you to review your security practices for personal information about your customers and employees, and, if appropriate, the practices of contractors and vendors with access to such information, to ensure that the practices are reasonable, appropriate, and in compliance with the law. It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers. (emphasis supplied)

In the letters sent to organizations found to be hosting the P2P software, the Commission also pointedly provided a link to the long list of enforcement actions taken by the Commission for inadequate data security (leading to compromised personal privacy).

While focused on the data security threats created by P2P software, the FTC's release also underscores the importance of data security generally and the legal risks involved in not adequately addressing the issue.   (In that connection, Hogan & Hartson's privacy and data security practice group regularly assists clients in conducting a risk management assessment to indentify privacy and data security issues, including the presence of P2P software, and to suggest remedial steps.)

• Email This
• Print
• Share Link

The Federal Communications Commission released a Public Notice this week seeking further comment on numerous privacy issues as part of its National Broadband Plan proceeding.  Based on questions raised in a recent Center for Democracy & Technology filing, some of the broad issues that the Notice seeks comment on include:

• Consumer expectations of privacy, and how to meet those expectations as new technologies are deployed;
• Building Privacy by Design;
• Concerns surrounding the collection, use, and storage of transactional data; and
• The regulation of third-party applications.

The FCC, which is working to complete the Plan and submit it to Congress by March 17, has thus far not focused extensively on how to protect consumer privacy and personal information in the broadband ecosystem.  This Notice, however, indicates that the FCC may be planning to highlight a number of privacy-related consumer protection issues in the Plan.  Moreover, depending in part on the comments received in response to the Notice, it could also open the door to future privacy and data protection proceedings at the FCC.

Comments are due on January 22, 2010, just over a week after the Commission issued the Notice.

• Email This
• Print
• Share Link

 The European Network and Information Security Agency (ENISA) has just published a paper on cloud computing, which discusses the benefits and risks of cloud computing from a security perspective. The paper also includes recommendations for improving information security in the context of cloud computing and provides a - in our view very helpful - set of questions that organizations can use to assess whether or not providers of cloud computing services are sufficiently protecting the data entrusted to them.

The key conclusion of the paper is that the “cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defenses can be more robust, scalable and cost-effective.” 

The paper is particularly timely in light of the European Commission’s public consultation on the legal framework for the fundamental right to protection of personal data, which closes at the end of next month. ENISA’s paper includes specific recommendations for the European Commission’s future consideration. It rightfully points out that certain issues related to the EU Data Protection Directive and Article 29 Working Party recommendations warrant clarification. In the current legal framework, it is not clear, for example, under which circumstances a provider of cloud computing services may be classified as a “joint controller” of personal data. ENISA also recommends that the European Commission examine and clarify, inter alia:

-         whether providers of cloud computing services should be obliged to notify their customers of data security breaches (and what information should be provided to these customers);

-         the legal impact of data transfers to providers of cloud computing services in countries outside the European Economic Area (EEA), if those countries do not provide an “adequate” level of data protection;

-         how the intermediary liability exemptions arising from the eCommerce Directive apply to providers of cloud computing services.

As far as information security in concerned, ENISA’s paper provides useful and practical guidance for potential and existing users of cloud computing services as well as policy makers. It will be interesting to see to what extent its recommendations will result in concrete action by the European Commission and/or Article 29 Working Party.

• Email This
• Print
• Share Link

The Personal Data Privacy and Security Act (“PDPSA”), recently reintroduced by Sen. Patrick Leahy (D-VT) and referred to the Senate Judiciary Committee proposes comprehensive federal regulation of data broker services.  While enactment of the PDPSA remains uncertain, the draft legislation may presage future legislative and regulatory trends.

Comprehensive Federal Regulation of “Data Brokers”

Title II of the PDPSA would introduce significant new regulation for data brokers, which are defined as

“a business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity or affiliate primarily for the purpose of providing such information to nonaffiliated third parties on an interstate basis.” 

PDPSA § 3(5).  Entities that are already regulated under the Fair Credit Reporting Act (“FCRA”), Gramm-Leach-Bliley Act (“GLBA”), or Health Insurance Portability and Accountability Act (“HIPAA”) are not subject to the data broker requirements of the PDPSA as currently drafted.  See PDPSA § 201(b)(1)-(3).  Notably, the PDPSA requirements would apply to the use of any form of sensitive personally identifiable information ("SPII"), unlike the FCRA which is limited to information used in consumer reports. 

• Email This
• Print
• Share Link

The August 17, 2009 revisions of the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts (“Massachusetts Standards”) were accompanied by reassurances that the changes were designed to create a more flexible regulatory framework that would ease the burdens on business while protecting the public interests. However, the revisions also include more detailed provisions dealing with sharing of personal information with third party service providers.  Third party service provider relationships can be a substantial source of risk to the confidentiality, integrity, and availability of sensitive information.  Risk factors include the security practices of third parties within their own facilities as well as the seemingly simple process of transferring sensitive information to a service provider. 

The Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) has addressed these risks by requiring businesses subject to the Massachusetts Standards to take “reasonable steps to select and retain third party service providers that are capable of providing appropriate security measures” consistent with the regulations and contractually obligating those service providers to do so.  There are several particularly noteworthy implications of these requirements.

Expansive Definition of Service Provider

The revised Massachusetts Standards define a “service provider” as: “any person that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of service directly to a person that is subject to this regulation …” explicitly excluding the U.S. Postal Service. Accordingly, almost any vendors, suppliers, consultants, contractors, and advisors with which a business shares the personal information of Massachusetts residents appear to fall within this definition. Going forward, businesses subject to the Massachusetts Standards should carefully examine all of their third party relationships to identify all scenarios where the third party service provider requirements are applicable.  

Data Security Due Diligence

While it has been an advisable practice for some time now, the express reference to selecting third party service providers that are capable of providing appropriate security raises analysis of data security practices during due diligence to the level of a legal obligation. The Commonwealth is unlikely to be sympathetic to claims that an entity was in compliance with the Massachusetts Standards without meaningful evidence of pre-closing investigation into the data security practices of its service providers.

Monitoring Third Party Service Provider Data Security Practices

The August 17th revisions removed the prior obligation to ensure that third party service providers are applying security measures consistent with the regulations. Nonetheless, the new language contains the admonition to “retain” third party service providers capable of providing such security. Hence, OCABR maintains some authority to require monitoring of the data security performance of third party service providers. Consequently, guaranteeing the right to audit the data security measures taken by third party service providers remains a strongly advised policy. 

Limited Grandfather Clause

Finally, the August 17th revisions include a grandfather clause apparently designed to exempt third party service contracts entered into before a particular date. Due to a likely drafting error, the grandfather clause contains conflicting dates (March 1, 2010 and March 1, 2012) for the exemption. This confusion is likely to be resolved after the current public comment period. While a reasonable reading of the current language could lead one to conclude that contractual obligations are not necessary for any contract entered into before March 1, 2010, the use of contract to protect the interests of businesses subject to the Massachusetts Standards remains a very attractive option, even for agreements currently in existence. 

The grandfather clause provides no indication that it exempts presently existing third party relationships from the “selection and retention” requirements discussed above. Contractual restrictions are among the more readily practicable methods of implementing the requirement to select and retain service providers capable of providing appropriate security. Therefore, ensuring that relevant contractual obligations are in place is in the interests of all businesses subject to the Massachusetts Standards.

• Email This
• Print
• Share Link