You are currently browsing the tag archive for the ‘Massachusetts’ tag.
I had the pleasure yesterday to attend a small-format seminar hosted by Wilmer Hale on the Massachusetts data security regulations. The event was organized by Machiko Sano Hewitt of the Lawyers Clearinghouse. (Who, by the way, organized my seminars on the same topic).
Gerry Young, Secretariat Chief Information Officer of the Commonwealth of Massachusetts presented along with Becky Burr, Molly Fox, Libby Black and Scott Kopcha of Wilmer Hale. The presentation was excellent and the presenters were well prepared, knowledgeable and genuinely interested in helping (and Gerry clearly loves his work).
The presentation was geared for non-profits so I was perhaps a bit of an interloper (but my intentions were pure).
The biggest takeaway for me from the presentation was the emphasis on adopting “industry standards” in order to comply with the new regulations. The standards provide both a framework for assessment and a shortcut or template for drafting a comprehensive written information security plan. Gerry Young, Scott Kopcha and Becky Burr all mentioned adopting industry standards independently and ultimately all agreed that the best industry standard to follow would be ISO 27001 and ISO 27002 (even though they cost money to purchase).
Gerry Young and Scott Kopcha also highlighted the weakest link in any security program. Gerry noting that the “biggest threat is the internal threat” and Scott commenting that it is “generally the carbon-based units that are to blame for breaches . . . education and awareness are key.”
Gerry Young noted that organizations need to be “thinking proactively about data protection” in order to be in compliance and that “the biggest problems are something happening and people not knowing how to respond.” This highlights the importance of having a breach response protocol and team in place before a breach happens because according to Gerry Young, a “data security breach is not a question of if, it’s a question of when.”
The most troubling revelation (to me) was that Gerry Young, arguably in a position to understand best (at least in the room yesterday) the drafters’ intent with respect to the regulations (as he was involved in the drafting process) said on more than one occasion that many of the terms and provisions of the regulations will not be fully understood until they are litigated.
The latest final version of the new Massachusetts data privacy regulations have been released and posted. See them here.
For a review of the changes (minor), read my post from Monday. You can also read the press release from the OCABR.
I will be in attendance at a seminar next week with members of the OCABR and I will report on that session afterwards.
According to the Hunton & Williams blog:
On October 30, as reported by the Bureau of National Affairs (“BNA”), the Massachusetts Office of Consumer Affairs and Business Regulation stated that final amendments to its information security regulations had been filed with the Massachusetts Secretary of State. The Standards for the Protection of Personal Information of Residents of the Commonwealth have been the subject of much commentary and a series of amendments as regulators seek to address concerns expressed by businesses over the stringent and specific nature of the regulations. The most recent round of amendments was announced August 17, 2009.
A final version of the latest amendments has not yet been made public, but the BNA has circulated a copy of what is purported to be the final draft, which includes changes to provisions related to service providers. First, the definition of “service provider” has been modified to (1) clarify that “any person” who “stores” personal information through the provision of services will fall within the definition’s scope (the term “stores” was not included in the prior version’s definition), and (2) remove the express exclusion of the U.S. Postal Service from the term “service provider.”
The “safe harbor” provision with respect to existing service provider contracts also has been revised. Pursuant to the regulations, businesses that are subject to the regulations generally must require by contract that third-party service providers implement and maintain appropriate security measures for personal information. While the previous version of the regulation stated that “any contract a person has entered into with a third party service provider prior to March 1, 2012, shall be deemed in compliance . . . notwithstanding the absence in any such contract of [this requirement], so long as the contract was entered into before March 1, 2010,” the new version provides that “until March 1, 2012, a contract a person has entered into with a third party service provider to perform services . . . satisfies [this provision] even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010.” The revision clarifies that the deadline for updating service provider contracts entered into prior to March 1, 2010 is March 1, 2012, and any contracts entered into after March 1, 2010 must comply with the regulations upon execution.
On October 30, as reported by the Bureau of National Affairs (“BNA”), the Massachusetts Office of Consumer Affairs and Business Regulation stated that final amendments to its information security regulations had been filed with the Massachusetts Secretary of State. . . .A final version of the latest amendments has not yet been made public, but the BNA has circulated a copy of what is purported to be the final draft, which includes changes to provisions related to service providers. First, the definition of “service provider” has been modified to (1) clarify that “any person” who “stores” personal information through the provision of services will fall within the definition’s scope (the term “stores” was not included in the prior version’s definition), and (2) remove the express exclusion of the U.S. Postal Service from the term “service provider.”
The “safe harbor” provision with respect to existing service provider contracts also has been revised. Pursuant to the regulations, businesses that are subject to the regulations generally must require by contract that third-party service providers implement and maintain appropriate security measures for personal information. While the previous version of the regulation stated that “any contract a person has entered into with a third party service provider prior to March 1, 2012, shall be deemed in compliance . . . notwithstanding the absence in any such contract of [this requirement], so long as the contract was entered into before March 1, 2010,” the new version provides that “until March 1, 2012, a contract a person has entered into with a third party service provider to perform services . . . satisfies [this provision] even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010.” The revision clarifies that the deadline for updating service provider contracts entered into prior to March 1, 2010 is March 1, 2012, and any contracts entered into after March 1, 2010 must comply with the regulations upon execution.
I will provide an update as soon as the latest changes to the frequently amended regulations are available.
It is an axiom of organizational compliance – awareness of compulsory policies is the first step (or hurdle) to compliance. The new Massachusetts data privacy regulations, currently scheduled to have a required compliance date of March 1, 2010 (originally May 1, 2009, then January 1, 2010), are comprehensive, forward thinking, proactive in nature but little known by rank and file businesses (even here in Massachusetts).
The best drafted compliance program within an organization isn’t worth the paper its written on if no one knows about it. The same is true for mandatory, prescriptive regulations. The best that could come of these regulations if more outreach isn’t done, is enforcement once a breach has occurred. The rules, as written and as intended, are meant to protect Massachusetts residents from exposure — to be proactive.
Lots of chatter – It’s true there is lots of chatter about the new regulations, but by whom? Me, for one. The folks that are paying attention are either consultants to businesses in areas of compliance and data security, or organizations large enough to have an independent compliance function (or larger organizations still that have dedicated data privacy offices). Most small and mid-sized businesses that have had no prior experience with data privacy issues are not informed.
Most small and mid-sized businesses clueless – When I speak to executive and mid-level managers who need to be informed about the regulations, and the risks in their business processes which inherently give rise to the need for the regulations, they are clueless. Clueless in regard to the magnitude of the risk, their potential exposure, the fact that the State has promulgated these new rules. Moreover, most are incredulous in the face of the prospect that yes, indeed, this means you.
No effort to educate – Outside of the industries and consultants that already have data privacy infrastructure, there is little evidence that the State has given much thought to awareness. Remember, the first axiom of organization compliance I mentioned. In fact, it is even difficult to navigate the website of the Massachusetts Office of Consumer Affairs and Business Regulation so that you can find the goodies that are posted (deep within) that are helpful. Go ahead and try and report back to me.
The regulators in Massachusetts need to fix this problem if there is any hope that a prevention model of data privacy regulation can lead to a positive change for the citizens. It does much less good to have a mechanism to punish poor practices rather than prescribe and enforce good practices before a data breach occurs. As they say, its much better to close the barn door before the horse is out.
From the Security, Privacy and the Law blog at Foley Hoag:
In Mercier v. Courtyard Nursing Care Center, 2009 WL 1873746 (Mass. Super. Ct. Jun. 11, 2009), a resident of a nursing home sued the home in Massachusetts Superior Court for negligence after being assaulted by another resident. The injured resident moved to obtain medical records maintained by the home regarding the resident who had allegedly committed the assault. The home contended that disclosure of the records would violate both HIPAA’s prohibition on disclosure of medical records without a patient’s authorization and Mass. Gen. L. ch. 93A, the Massachusetts unfair and deceptive practices statute.
The court, however, held HIPAA permitted disclosure of medical records “in the course of a judicial proceeding,” including in response to a court order, subpoena or discovery request. The court further observed that, although a Massachusetts regulation states that unauthorized release of a patient’s personal or medical record violates ch. 93A, the regulation contains a specific exception for disclosures “required by law.”
From the Security, Privacy and the Law blog at Foley Hoag:
In Mercier v. Courtyard Nursing Care Center, 2009 WL 1873746 (Mass. Super. Ct. Jun. 11, 2009), a resident of a nursing home sued the home in Massachusetts Superior Court for negligence after being assaulted by another resident. The injured resident moved to obtain medical records maintained by the home regarding the resident who had allegedly committed the assault. The home contended that disclosure of the records would violate both HIPAA’s prohibition on disclosure of medical records without a patient’s authorization and Mass. Gen. L. ch. 93A, the Massachusetts unfair and deceptive practices statute.
The court, however, held HIPAA permitted disclosure of medical records “in the course of a judicial proceeding,” including in response to a court order, subpoena or discovery request. The court further observed that, although a Massachusetts regulation states that unauthorized release of a patient’s personal or medical record violates ch. 93A, the regulation contains a specific exception for disclosures “required by law.”
We are planning another round of seminars on the new Massachusetts regulations for businesses with Massachusetts employees and customers. In coordination with Lawyers Clearinghouse, and The Boston Private Bank and Trust, we are preparing presentations geared toward non-profits. We are targeting January and February dates.
We are considering a two-part series: (1) an overview like the prior presentation (but with the updated regulations); and (2) a more practical assessment, drafting and implementation program.
I would love some feedback. Does this sound good? Is there something else or additional we could do?
If there is interest, I could also put together presentations geared toward for-profit organizations, and even get industry or sector-specific.
I went back yesterday and updated the posts outlining the new Massachusetts data regulations to reflect the latest changes from the Massachusetts Office for Business Regulation and Consumer Affairs.
Here are links to those updated posts:
Introduction the the New Massachusetts Privacy Laws
New Massachusetts Privacy Laws – Who is Regulated?
New Massachusetts Privacy Laws – The WISP
New Massachusetts Privacy Laws – Breach Notification Requirements
New Massachusetts Privacy Laws – Data Destruction
If you prefer, here is a .pdf with a summary of all of these posts:
Mirror site to http://privacyregulation.com 
Recent Comments