As if banks didn't have enough on their plates with compliance and regulation on the federal front, come May 1, they will have to be mindful of strict new rules coming from the Commonwealth of Massachusetts around data security.
The Massachusetts Data Security Regulations are perhaps like no other in terms of their depth and scope. During a teleconference, attorneys from the privacy and data security practice of the law firm Goodwin Procter (Boston) described this very detailed, all-encompassing set of rules designed to keep consumers' personal data safe. They go beyond the rules of other states and the federal government that simply require companies to notify their customers of theft of their personal information. "Personal information," for the purposes of the regulation, is described as someone's first and last name or first initial and last name, in combination with Social Security Number, driver's license number or financial account number.
At its core, the regulation states that companies, including banks, that handle the personal data of a Massachusetts resident must show they have in place a comprehensive, written information security program with heightened security procedures around how this information is handled.
The rules also extend to entities' service providers and the degree to which they too much show they comply with the Massachusetts rules of handling data on residents. Companies have until May 1 to amend their vendor contracts to reflect this and until Jan. 1, 2010 to certify their vendors comply. Furthermore, companies must comply with these rules even if they do not have a single office in the Bay State or if they are in an already heavily regulated industry, like financial services. As long as customers in businesses' databases reside in Massachusetts, those companies are affected by the rules.
According to partner Deborah Birnbach, this is some of the most intrusive legislation as it relates to the operation of businesses. "It requires changes in your physical access, changes in your relationships with your vendors, changes to your training programs, and changes in the type of information stored and how you store it," Birnbach explained to attendees. "This is not business as usual as it relates to the personal information of Massachusetts residents."
Under the rules, companies have a duty to monitor their security programs on an ongoing basis. The size and type of company will be taken into account by lawmakers, however. Partner David Goldstone said businesses are required to develop, implement, maintain and monitor a "comprehensive" written information security program. "They expect the information security program to be a living and breathing information security program," he said.
The safeguards in the program must be administrative, technical and physical in nature. Entities will be required to identify all records used to store personal information. Although companies won't be expected to keep an inventory of this data per se, they are expected to know where it is, Goldstone noted. One of the suggestions to facilitate this process is to create an information flow map that shows where information is stored and transmitted.
Businesses must also identify and assess both internal and external risks to the organization. Once these steps are completed, they must then evaluate (and improve, if necessary) the safeguards in place around such areas as employee training and physical security.
In addition to all this, companies will be obligated to limit the collection and use of personal information. They must identify the purposes for which they collect this kind of information and identify how long the wish to keep it and who can access it.
Another big component of the regulation is around the protection of data in transit and data on portable devices, like laptops, Blackberrys and thumb drives. Companies will be required to encrypt data that is not only stored but also when it is being transmitted over networks or physically moved as when an employees take a laptop home.
Properly educating and handling employees will also be key to compliance. The rules state, for example, that companies must be vigilant when dealing with terminated employees so that their access to data is "immediately" denied.
"Massachusetts may be the first with such detailed regulations, but it is not likely to be the last," predicted Lynne Barr, a partner with the firm.