On August 17, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) issued a second set of revisions to the Standards for the Protection of Personal Information of Residents of the Commonwealth (“Massachusetts Standards”), 201 CMR 17.00. In support of the revisions, the OCABR also issued Frequently Asked Questions (“FAQs”) to clarify the regulators’ views on issues that may not have been entirely clear in the text of the rules. The revisions are intended to increase the flexibility of the regulations in a manner that will reduce burdens on entities subject to the Massachusetts Standards, particularly small and mid-sized businesses.
Notable among the revisions are the attempts by the OCABR to: (1) introduce a more risk-based approach to the comprehensive information security programs required by the Massachusetts Standards; (2) implement a “technical feasibility” test for required technological controls; and (3) adopt a technology neutral approach to data encryption. While these initiatives should assuage some of the concerns previously expressed by the private sector, the ultimate practical impact remains in doubt.
While the OCABR press release and FAQs heavily emphasize the position that the revised Massachusetts Standards take a more risk-based approach to compliance, the changes are not readily apparent. Previous iterations of the Massachusetts Standards were similarly scalable based on the unique circumstances of each covered entity. The prior versions of the regulations stated that the required information security program would be evaluated by the Commonwealth based on the: (a) size and type of the covered business; (b) resources available to the covered business; (c) amount of stored data; and (d) need for security and confidentiality of the personal information. Although that provision has been removed, the revised regulations state that the required information security program should implement safeguards that are appropriate to the same four factors listed above. This change may make the scalability of the regulations slightly more straightforward, but appears to have little impact on the practical considerations of compliance.
Entities subject to the Massachusetts Standards are now only required to implement technical safeguards that are “technically feasible.” Unfortunately, the definition of technically feasible provided in the FAQs (“if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used”) provides little practical guidance. Nonetheless, subsequent portions of the FAQs provide additional insight into the Commonwealth’s intentions. The FAQs note that: “there is little, if any, generally accepted encryption technology for most portable devices ….” On the other hand, the FAQs unequivocally state that there is technology available to encrypt laptops. As a practical matter, it may be reasonable to conclude that covered entities are not expected to adopt cutting edge technologies to satisfy their obligations. Only “generally accepted” technology is expected.
However, the absence of generally accepted technological controls does not absolve businesses of all obligation to protect personal information. When there is no feasible technical control, the OCABR clearly expects covered entities to take reasonable alternative steps to protect personal information. For example, the FAQs recommend that:
- if encryption of backuptapes is not technically feasible, entities should take reasonable steps to physically protect the personal information stored on the tapes such as using an armored vehicle service to transport tapes containing unencrypted personal information;
- a secure, password-protected website should be used to conduct transactions involving personal information if encryption of email is not technically feasible; and
- personal information should not be stored on portable devices, such as smart phones, for which there is no generally accepted encryption technology.
Accordingly, businesses should careful consider available administrative and physical security options when dealing with provisions of the Massachusetts Standards that do not appear to be technically feasible.
Technology-Neutral Encryption Requirement
In an attempt to ensure that the Massachusetts Standards remain flexible enough to adjust to the evolution of technology, the definition of encryption has been revised to make it slightly more technology neutral. Past versions of the Massachusetts Standards expressly required that encryption involve an algorithmic process. The August 17th revisions eliminated this requirement. This change is unlikely to have any significant effect in the foreseeable future.
In fact, it is not yet clear what OCABR’s intentions were in this instance. While there is no formally accepted mathematical definition of the term “algorithm,” the word is generally taken to mean a process involving a specific sequence of actions. Encryption and decryption are quintessential examples of algorithmic processes. These functions require a specific series of actions in order to transform readily-understandable information into a form that is difficult to understand and, when an authorized recipient receives the information, transform it back into readily-understandable information. It is difficult to conceive of a method of encryption that would not involve an algorithmic process. Even methods of concealing information which are traditionally outside the scope of cryptography, such as steganography, typically involve the use of a sequence of specific actions to protect and recover information.
It is possible that OCABR wished to avoid contentious litigation over the meaning of algorithm in the absence of a formal mathematical definition. Nevertheless, businesses should expect to use generally accepted, industry standard algorithmic encryption technology for the foreseeable future in order to ensure compliance with the Massachusetts Standards.
Businesses Should Continue to Monitor Developments
As this is the third version of the Massachusetts Standards to be issued since the regulations were declared “final,” further adjustments in the future are not unforeseeable. The OCABR has scheduled a public hearing for September 22, 2009 and will be accepting written comments up to September 25, 2009. Persuasive arguments presented by both consumer advocates and the private sector may lead to further refinements of the regulations before the current effective date of March 1, 2010.