Connecticut firms doing business across the Massachusetts border may be in for a rude surprise next month.
While Connecticut has adopted a ‘go slow’ approach to data security, the Bay State has been more aggressive. Companies with personal information of Massachusetts residents have until March 1 to comply with the data security regulation of the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR).
Contracts that went into effect after March 1, 2010, when the regulation became effective, must comply with the requirements. Contracts made prior to this period should be amended by the March 1 deadline to ensure compliance.
The regulation (201. CMR. 17.00) pertains to businesses located anywhere in the U.S., regardless of size and industry.
“A lot of Connecticut companies have employees and customers in Massachusetts. But smaller companies may not be aware of this regulation,” said Socheth Sor, an attorney at Edwards Wildman Palmer LLP, a Hartford-based law firm.
An individual’s name and date of birth, Social Security, credit and debit card numbers are deemed to be personal information. A company that licenses this information to a third-party vendor such as payroll tax firm or a health insurance provider is responsible for compliance by those vendors as well. The third-party service provider provision was modeled after the FTC’s Safeguards Rule.
Sor said though there are several federal data privacy requirements in place, they are only applicable to companies that are subjected to oversight by federal regulatory agencies.
“The Massachusetts requirements are very detailed. While other states ask for ‘reasonable protection’ — Massachusetts requires many categories including firewall, password and anti-virus policies,” Sor said.
Most companies already have data protection policies such as shredding of documents and the use of employee key cards. All of these measures are now required to be put in writing under a written information security program — WISP.
According to a recent client advisory from Edwards Wildman Palmer, the WISP must include technical, physical and administrative safeguards for the protection of personal information owned, licensed, received, stored, maintained, processed or otherwise accessed by the company.
The law firm outlined that companies should enable compliance by vendors and sub-vendors through the following means:
The company has the right to evaluate or audit the vendor periodically;
The vendor in turn contractually requires its vendors to comply with the requirements;
The vendor provides the company with immediate notification of an actual or potential breach involving personal information shared with the vendor;
The vendor returns or destroys all of the company’s personal information in its possession at the termination of the contract, to the extent feasible;
The vendor agrees to indemnify the company and hold it harmless against losses, damages and expenses, including the costs of any investigation and computer forensic costs, resulting from a data breach caused by the vendor or its sub-vendors.
According to the OCABR website, the regulation adopts a risk-based approach to information security. Businesses have room for flexibility depending on their size, scope, amount of resources available and the need for security. Companies that have personal information for a small number of employees should lock the files in a storage cabinet and lock the door to that room, permitting limited access for official purposes. Companies with a large volume of customer data should have a more stringent written program.
Small business owners who don’t have an internal compliance expert or the budget to hire a law firm could follow the OCABR’s guidelines on its website.
George P. Gombossy, a consumer activist, and editor and publisher at Connecticut Watchdog LLC, believes that any business that requires and keeps sensitive information should have a legal responsibility for any improper use of it.
He also believes there should be a federal law that applies to all companies as opposed to different rules in each state.
“At the minimum, the regulation or law should require that the company with a breech inform the state attorney general within 24 hours, provide each potential victim with a free year of credit monitoring and to make whole any victim of identity theft as the result of that breech,” he said.
The FTC estimates that around 9 million individuals are victims of identity theft in the U.S. each year. A recent study by the Michigan-based Ponemon Institute found that 39 percent of data breaches in 2010 involved third-party service providers. These included outsourcing partners, contractors, consultants and business partners.
Kia Murrell, associate counsel at the Connecticut Business & Industry Association, Inc. in Hartford, said although at its face value the Massachusetts regulation appears to be sound public policy, Connecticut must wait and watch before adopting a similar regulation.
“We have to be cautious about unintended consequences to small businesses during a time of economic recovery,” she said. “It’s important to monitor the practical impact of what works and what doesn’t and right now it’s too premature to say.”
