Telecommunications providers in Massachusetts will be grappling with a new data security law that legal experts indicate is among the most forward-looking in the nation.
The state law requires businesses that “own, license, store or maintain personal information” on customers to encrypt that data, especially on portable devices such as laptops. That responsibility is extended from the primary business to contractors, such as telemarketing firms, and it extends to transmissions on wireless devices such as BlackBerries.
“This law is very ahead of the curve,” said Miriam Wugmeister, a partner with Morrison Foerster, a law firm that tracks trends in data security law. Currently, the law takes the view that companies had wide leeway to collect data — such as Social Security numbers, driver's licenses and financial account numbers — as long as it did not cause overt harm to the consumers. The Massachusetts law is reflective of European law, which places more restrictions on data collection.
The legislation is not unlike rules that now govern the way hospitals protect and contain the release of patient information, Wugmeister said.
Nevada also has a law, to take effect Jan. 1, that requires encryption of any personal information that leaves the computers of the original collector and passes electronically to another entity. But that law does not address laptops and portable devices.
Actually, the Massachusetts law may be a little ahead of its time, according to Wugmeister. It extends its encryption mandate to portable devices including flash drives, CDs and cell phones. Yet encryption technology is “just not there” for all those types of devices, she said.
“The technology is just starting to be developed, so it's tricky. If the government had to comply [with the new rules], it would be impossible. But then, they're exempt,” she said.
The law is a reaction to notable lapses in security by banks, department store chains and other credit record holders which have exposed consumers to possible identity theft during the last five years. No company seems to be immune: Charter Communications this summer had to notify 9,000 current and former employees that their data, including Social Security numbers, may have been compromised when a company laptop went missing in August from one of its offices in South Carolina.
Wugmeister noted that even businesses that have no facilities or personnel in Massachusetts should anticipate they will be subject to this new regulation if they maintain any personal information on a Massachusetts resident.
Firms that operate in the state, or with businesses in the state, are now required to designate an employee to maintain a security program. That worker must identify all paper and electronic records that contain personal information and the devices that house that data. The security program has to include processes for granting and withdrawing employee access to sensitive information, develop authentication processes, methods of assigning passwords, maintaining firewalls and malware protections, training of employees and creating discipline procedures for employees who violated the security rules.
Policies must be written to limit the amount of personal information collected to the minimum necessary to reasonably complete the task at hand, and to retain that information only as long as it is needed to do business. Security programs must be reviewed at least annually, and company responses to security breaches must be documented.
Wugmeister said the new responsibilities extend to partner businesses, such as marketing firms or call centers. The originating business must take “reasonable steps” to verify that third parties have the capacity to protect shared information.
There is no right for individuals to sue companies for security breaches under the new law. It will be up to the office of the state's Attorney General to investigate and fine any business determined to be in violation of the state law.
Companies have more time to develop strategies to comply with the law: the Massachusetts Office of Consumer Affairs and Business Regulation earlier this month decided to move the compliance deadline from Jan. 1 to May 1, 2009.