Once again, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has extended the deadline for compliance with its aggressive new data security regulations that were first announced in September 2008. Businesses affected by the Massachusetts regulations now have until March 1, 2010 to implement a comprehensive information security program that includes procedures for the protection of computer systems. Unlike the two previous revisions to the data security regulations, however, the most recent modifications also contain important substantive changes that will impact businesses currently considering what steps to take in order to comply with the regulations.

The Massachusetts Regulations

The “Standards for The Protection of Personal Information of Residents of the Commonwealth” (201 CMR 17.00) establishes a duty to protect personal information (defined as a combination of a name along with a Social Security number, bank account number, or credit card number); sets forth standards for the protection of such personal information and mandates the development of a security system covering a company’s computers. In brief, the Massachusetts data security regulations require businesses that own or license personal information about Massachusetts residents to develop a comprehensive information security program that contains administrative, technical and physical safeguards for the protection of personal information. In addition, companies that store personal information on portable devices (e.g., laptops, PDAs and flash drives) or transmit personal information wirelessly on public networks must deploy encryption and protect against data leakage.

The Revisions

Reduced Obligations

According to OCABR officials, the latest revisions are both a reaction to the concerns of small business leaders and a recognition that the size of a business and the amount of personal information it handles should play a role in the data security plan the business creates. The new language is also a recognition that safeguards need only be appropriate to the size, scope and type of business handling the information; the amount of resources available to the business; the amount of stored data; and the need for security and confidentiality of both consumer and employee information. In keeping with this desire to afford businesses more flexibility when designing their information security plan, the revised regulations eliminates the following substantive obligations that were included in the prior version:

1. The obligations to limit (i) the amount of personal information collected; (ii) the time such information is retained; and (iii) access to those persons who are reasonably required to know such information;
2. The obligation to identify paper, electronic and other records, computing systems and storage-media used to store personal information; and
3. The obligation to draft and implement a written procedure for how physical access to records containing personal information is restricted.

Expanded Reach

While the previous iteration of the Massachusetts regulations applied to any person that owned, licensed, stored or maintained personal information about a Massachusetts resident, the amended regulations seem to narrow the scope of the regulation’s reach by including only those persons that own or license personal information. Upon closer inspection, however, the scope of persons to whom the regulations apply is actually expanded as the regulations define the phrase “owns or licenses” as receiving, maintaining, processing or otherwise having access” to personal information. As a result, a business that would not have fallen within the scope of the previous regulations because it did not own, license, store or maintain personal information now may be subject to the revised Massachusetts regulations if it merely processes or even has access to such personal information.

Service Providers

The amended language states that businesses are required to oversee service providers by:

1. Taking reasonable steps to select and retain third-party services providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and
2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information.

At first glance it might seem that the new language eases the burden on businesses by both reducing the applicable standard for service provider oversight from the stringent “all reasonable steps” standard to a mere “reasonable steps” standard and by completely removing the obligation that businesses’ ensure that service providers apply security measures consistent with the Massachusetts regulations. However, by tying security measures to both Massachusetts law and any other applicable federal regulation, the revised language actually expands the scope of required oversight to include rules promulgated under the 1999 Gramm-Leach-Bliley Act (e.g., the Security and Exchange Commission’s Regulation S-P). Moreover, the revised language not only reinstates the requirement that businesses enter into contracts with its service providers, but also raises the obligation to conduct due diligence prior to selecting and retaining service providers to the level of a legal obligation. In practical terms, this means that businesses must be able to back up their claims that they were in compliance with the Massachusetts regulations by providing convincing evidence of their investigation into the data security procedures of third-party service providers.

In an effort to take the sting out of the contract requirement, the amended regulations attempt to provide a “safe harbor” for certain contracts entered into prior to a particular date. Contracts entered into before that date would not need to contain provisions requiring service providers to implement and maintain appropriate security measures. However, due to what can only logically be viewed as a drafting error, the regulations put forth conflicting dates (March 1, 2010 and March 1, 2010) for contracts that qualify for the exemption. It is suggested that in keeping with the best practices of the investment advisory profession under Regulation S-P, that investment advisers add such contractual provisions to existing service provider relationships.