Posted on January 27, 2012 by Eric Bukstein

Upcoming Compliance Deadline for Massachusetts Service Provider Contracts

This blog entry was contributed by Kate Abramson, an associate in the Privacy and Information Management group in Hogan Lovells' Washington, DC office.

Massachusetts information security regulations (“Standards for the Protection of Personal Information of Residents of the Commonwealth”) took effect on March 1, 2010. In approximately five weeks, covered companies face a compliance deadline relating to their third party service provider contracts.

To reduce the risk of data breaches involving third-party service providers, the regulations require companies to take reasonable measures to select vendors capable of “maintaining appropriate security measures to protect such personal information consistent with [the] regulations and any applicable federal regulations.” Furthermore, the regulations mandate that companies contractually require their service providers to safeguard personal information in accordance with the Massachusetts regulations and applicable federal requirements.

The contract provision includes a grandfather clause, providing that all contracts entered into before March 1, 2010 are exempt from complying with this requirement until March 1, 2012.

Accordingly, companies that own or license personal information of Massachusetts residents must ensure they have specifically contracted with their service providers to implement and maintain such security measures before the pending deadline.

While the regulations only affect companies possessing personal information of Massachusetts residents, companies outside the scope of these regulations should nonetheless consider amending their contracts in conformity with the Massachusetts regulations to ensure that service providers are aware of their obligations to safeguard personal information.
Tags: , , ,
Posted on December 9, 2009 by Bret Cohen

House Passes Comprehensive Data Security Legislation

On December 8, the House of Representatives by voice vote passed H.R. 2221, entitled the "Data Accountability and Trust Act," which would require all organizations engaged in interstate commerce that manage or contract another to manage electronic data containing personal information to comply with a comprehensive set of standards designed to protect that information from unnecessary disclosure and to prevent identity theft and other fraud.

These measures include:

  • Requiring covered organizations to establish and implement comprehensive policies and procedures regarding information security practices for the treatment and protection of personal information, tailored to the individual organization's capabilities.  This would include:
    • the creation of a security policy;
    • the identification of a security officer or other individual as the point of contact for the organization's security program;
    • the creation of a process for assessing vulnerabilities to electronic systems containing personal information, including regular monitoring for security breaches;
    • the creation of a process for taking preventative and corrective action to mitigate against any vulnerabilities found; and
    • the creation of a process for the secure disposal of obsolete data.
  • Subjecting data brokers maintaining PII to standards similar to credit reporting agencies, including allowing individuals to request and correct false information maintained about them, and punishing data brokers for the unauthorized disclosure of personal information through "pretexting" -- that is, obtaining or hiring someone who obtains personal information of others through false pretenses.
  • Creating a federal data breach notification requirement that would mandate any organization suffering a breach of personal information to notify all affected individuals, unless it determines that there is no reasonable risk of identity theft, fraud, or other unlawful conduct (which can be presumed if the data is properly encrypted or otherwise rendered in an electronic form unreadable or undecipherable).  Organizations suffering breaches would also be required to provide consumer credit reports to affected individuals on a quarterly basis for two years.

The FTC would be directed to pass regulations and guidance implementing and interpreting many of the specifics, and would be granted civil enforcement authority through its power under the FTC Act to prevent unfair and deceptive trade practices.  In addition, the bill would empower state attorneys general to bring civil actions to enforce its provisions with regard to violations against residents of their respective states.

Penalties would be substantial.  The failure of any covered organization to implement a comprehensive data security program or of data brokers to implement requirements specific to them would carry a maximum penalty of $11,000 per violation -- which in the case of the data security program would be $11,000 per day -- up to a maximum of $5,000,000.  Failing to comply with the breach notification provision would carry a penalty of up to $11,000 per failed notification, up to a maximum of $5,000,000, which could theoretically be reached by an unreported breach of the personal information of only 455 individuals .

Importantly, the bill would preempt the breach notification laws of forty-five states, the District of Columbia, Puerto Rico, and the Virgin Islands, as well as the recent controversial Massachusetts regulations requiring the creation of a comprehensive data security program and policy of all organizations maintaining the electronic personal information of residents of that state.  It would not, however, replace any of the parallel federal breach notification standards, such as the breach notification rule recently issued by the department of Health and Human Services under the HITECH Act and other disclosure requirements under the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act.

Just last month, the Senate Judiciary Committee approved two bills very similar to H.R. 2221.  While there are some notable differences -- including criminal penalties, an applicability threshold for the data security program requirement, and express exemptions for entities in compliance with similar federal regulations in the Senate versions, and prohibition of pretexting and higher penalties in the House version -- all three bills have enjoyed bipartisan support and their purposes are aligned.  Though health care and other items remain higher on the Senate's agenda, and the full chamber is unlikely to vote on the bills for some time, proponents are now likely to point to the momentum generated by the passage of the House version to bring the issue before the Senate sooner rather than later.

Tags: , , , ,
Posted on August 26, 2009 by Mark Paulding

Massachusetts Data Security Regulations Raise the Stakes for Sharing Personal Information with Third Party Service Providers

The August 17, 2009 revisions of the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts (“Massachusetts Standards”) were accompanied by reassurances that the changes were designed to create a more flexible regulatory framework that would ease the burdens on business while protecting the public interests. However, the revisions also include more detailed provisions dealing with sharing of personal information with third party service providers.  Third party service provider relationships can be a substantial source of risk to the confidentiality, integrity, and availability of sensitive information.  Risk factors include the security practices of third parties within their own facilities as well as the seemingly simple process of transferring sensitive information to a service provider

The Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) has addressed these risks by requiring businesses subject to the Massachusetts Standards to take “reasonable steps to select and retain third party service providers that are capable of providing appropriate security measures” consistent with the regulations and contractually obligating those service providers to do so.  There are several particularly noteworthy implications of these requirements.

Expansive Definition of Service Provider

The revised Massachusetts Standards define a “service provider” as: “any person that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of service directly to a person that is subject to this regulation …” explicitly excluding the U.S. Postal Service. Accordingly, almost any vendors, suppliers, consultants, contractors, and advisors with which a business shares the personal information of Massachusetts residents appear to fall within this definition. Going forward, businesses subject to the Massachusetts Standards should carefully examine all of their third party relationships to identify all scenarios where the third party service provider requirements are applicable.  

Data Security Due Diligence

While it has been an advisable practice for some time now, the express reference to selecting third party service providers that are capable of providing appropriate security raises analysis of data security practices during due diligence to the level of a legal obligation. The Commonwealth is unlikely to be sympathetic to claims that an entity was in compliance with the Massachusetts Standards without meaningful evidence of pre-closing investigation into the data security practices of its service providers.

Monitoring Third Party Service Provider Data Security Practices

The August 17th revisions removed the prior obligation to ensure that third party service providers are applying security measures consistent with the regulations. Nonetheless, the new language contains the admonition to “retain” third party service providers capable of providing such security. Hence, OCABR maintains some authority to require monitoring of the data security performance of third party service providers. Consequently, guaranteeing the right to audit the data security measures taken by third party service providers remains a strongly advised policy. 

Limited Grandfather Clause

Finally, the August 17th revisions include a grandfather clause apparently designed to exempt third party service contracts entered into before a particular date. Due to a likely drafting error, the grandfather clause contains conflicting dates (March 1, 2010 and March 1, 2012) for the exemption. This confusion is likely to be resolved after the current public comment period. While a reasonable reading of the current language could lead one to conclude that contractual obligations are not necessary for any contract entered into before March 1, 2010, the use of contract to protect the interests of businesses subject to the Massachusetts Standards remains a very attractive option, even for agreements currently in existence. 

The grandfather clause provides no indication that it exempts presently existing third party relationships from the “selection and retention” requirements discussed above. Contractual restrictions are among the more readily practicable methods of implementing the requirement to select and retain service providers capable of providing appropriate security. Therefore, ensuring that relevant contractual obligations are in place is in the interests of all businesses subject to the Massachusetts Standards.

Tags: ,
Posted on August 19, 2009 by Mark Paulding

Latest Revision of Massachusetts Data Security Regulations Attempts to Increase Flexibility

On August 17, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) issued a second set of revisions to the Standards for the Protection of Personal Information of Residents of the Commonwealth (“Massachusetts Standards”), 201 CMR 17.00. In support of the revisions, the OCABR also issued Frequently Asked Questions (“FAQs”) to clarify the regulators’ views on issues that may not have been entirely clear in the text of the rules. The revisions are intended to increase the flexibility of the regulations in a manner that will reduce burdens on entities subject to the Massachusetts Standards, particularly small and mid-sized businesses. 

Notable among the revisions are the attempts by the OCABR to: (1) introduce a more risk-based approach to the comprehensive information security programs required by the Massachusetts Standards; (2) implement a “technical feasibility” test for required technological controls; and (3) adopt a technology neutral approach to data encryption. While these initiatives should assuage some of the concerns previously expressed by the private sector, the ultimate practical impact remains in doubt.

Risk-Based Approach 

While the OCABR press release and FAQs heavily emphasize the position that the revised Massachusetts Standards take a more risk-based approach to compliance, the changes are not readily apparent. Previous iterations of the Massachusetts Standards were similarly scalable based on the unique circumstances of each covered entity. The prior versions of the regulations stated that the required information security program would be evaluated by the Commonwealth based on the: (a) size and type of the covered business; (b) resources available to the covered business; (c) amount of stored data; and (d) need for security and confidentiality of the personal information. Although that provision has been removed, the revised regulations state that the required information security program should implement safeguards that are appropriate to the same four factors listed above. This change may make the scalability of the regulations slightly more straightforward, but appears to have little impact on the practical considerations of compliance.

Technical Feasibility

Entities subject to the Massachusetts Standards are now only required to implement technical safeguards that are “technically feasible.” Unfortunately, the definition of technically feasible provided in the FAQs (“if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used”) provides little practical guidance. Nonetheless, subsequent portions of the FAQs provide additional insight into the Commonwealth’s intentions. The FAQs note that: “there is little, if any, generally accepted encryption technology for most portable devices ….” On the other hand, the FAQs unequivocally state that there is technology available to encrypt laptops. As a practical matter, it may be reasonable to conclude that covered entities are not expected to adopt cutting edge technologies to satisfy their obligations. Only “generally accepted” technology is expected. 

However, the absence of generally accepted technological controls does not absolve businesses of all obligation to protect personal information. When there is no feasible technical control, the OCABR clearly expects covered entities to take reasonable alternative steps to protect personal information. For example, the FAQs recommend that:

  • if encryption of backuptapes is not technically feasible, entities should take reasonable steps to physically protect the personal information stored on the tapes such as using an armored vehicle service to transport tapes containing unencrypted personal information; 
  • a secure, password-protected website should be used to conduct transactions involving personal information if encryption of email is not technically feasible; and
  • personal information should not be stored on portable devices, such as smart phones, for which there is no generally accepted encryption technology.

Accordingly, businesses should careful consider available administrative and physical security options when dealing with provisions of the Massachusetts Standards that do not appear to be technically feasible. 

Technology-Neutral Encryption Requirement

In an attempt to ensure that the Massachusetts Standards remain flexible enough to adjust to the evolution of technology, the definition of encryption has been revised to make it slightly more technology neutral.  Past versions of the Massachusetts Standards expressly required that encryption involve an algorithmic process.  The August 17th revisions eliminated this requirement.  This change is unlikely to have any significant effect in the foreseeable future.  

In fact, it is not yet clear what OCABR’s intentions were in this instance. While there is no formally accepted mathematical definition of the term “algorithm,” the word is generally taken to mean a process involving a specific sequence of actions.   Encryption and decryption are quintessential examples of algorithmic processes. These functions require a specific series of actions in order to transform readily-understandable information into a form that is difficult to understand and, when an authorized recipient receives the information, transform it back into readily-understandable information. It is difficult to conceive of a method of encryption that would not involve an algorithmic process. Even methods of concealing information which are traditionally outside the scope of cryptography, such as steganography, typically involve the use of a sequence of specific actions to protect and recover information.

It is possible that OCABR wished to avoid contentious litigation over the meaning of algorithm in the absence of a formal mathematical definition. Nevertheless, businesses should expect to use generally accepted, industry standard algorithmic encryption technology for the foreseeable future in order to ensure compliance with the Massachusetts Standards.    

Businesses Should Continue to Monitor Developments

As this is the third version of the Massachusetts Standards to be issued since the regulations were declared “final,” further adjustments in the future are not unforeseeable. The OCABR has scheduled a public hearing for September 22, 2009 and will be accepting written comments up to September 25, 2009. Persuasive arguments presented by both consumer advocates and the private sector may lead to further refinements of the regulations before the current effective date of March 1, 2010.
Tags: , , ,