In 2009, Verizon conducted a national study of data breaches, and tracked 285 million compromised records. This figure was more than the prior four years combined, and evidences an increasing threat to businesses and consumers. The federal government, nevertheless, has failed to enact a comprehensive data breach notification law.
In the absence of federal action, 45 states have attempted to remedy the problem with state-specific legislation; creating a costly and confusing web of requirements. Regionally, Maine, New Hampshire, and Vermont have passed complementary statutes, with similar or identical requirements with respect to the notification of consumers and regulators in the event of a security breach. Massachusetts, however, has taken a more aggressive approach, imposing a range of pre- and post-breach standards, which attempt to reach across state boundaries regardless of where a business is located with respect to personal information held on Massachusetts residents. Thus, it is important for New Hampshire businesses to be familiar with the law.
Massachusetts requirements with respect to post-breach notification are triggered when a person “knows or has reason to know” that personal information of a Massachusetts resident “was acquired or used by an unauthorized person or used for an unauthorized purpose.”
Under this standard, a person who merely “maintains or stores” personal information of a Massachusetts resident must provide the owner with the following information:
Additionally, the person must also provide the affected resident with notice of:
However, the notice to the resident must not include:
These two final prohibitions are an important detail, as other states specifically require that the nature and scope of the breach be identified. This difference can create a potential pitfall when a breach involves residents of more than one state.
Massachusetts reserves its more onerous requirements for persons who “own or license” personal information. In addition to the notice requirements detailed above, such persons must also provide notice to the Attorney General and the Director of Consumer Affairs and Business Regulation. More importantly, persons who own or license personal information are subjected to the pre-breach requirements of 201 CMR 17.00. 201 CMR 17.00 takes effect March 1, 2010, and mandates (1) the creation of a written comprehensive information security program (commonly known as a “WISP”), and (2) numerous computer system security requirements. Each WISP must detail administrative, technical, and physical safeguards that are appropriate to the size, scope, and type of business of the person obligated to safeguard the personal information, the amount of resources available to such person, the amount of stored data, and the need for security and confidentiality of both consumer and employee information. In addition, there are other stringent standards specified in the regulations that must be met.
Under what circumstances do New Hampshire businesses have to comply? At the most basic level, constitutional law requires there be sufficient contacts with the enforcing state in order for it to have jurisdiction. Therefore, a business does not have to be concerned if it retains no personal information of Massachusetts residents. However, if a business does retain such information, a distinction may be drawn between information obtained “accidentally” versus “purposefully”. For example, if a business is located in the Lakes Region, only advertises locally, and occasionally has out-of-state customers, the reach of the law to such a business would appear excessive. But, a business may be subject to the law’s requirements if it is located on the border with Massachusetts and advertises to Massachusetts residents. In short, whether or not the law applies will depend in part on the specific acts of the business and the constraints of constitutional law.
In addition, businesses must also consider whether they “maintain and store” or “own or license” personal information. M.G.L. 93H § 2 specifically indicates that 201 CMR 17.00 relates to the owners or licensors of personal information, presumably exempting persons who merely maintain or store such information from the regulation’s requirements. Nevertheless, a recent amendment to the regulation now includes storage and maintenance activities within the scope of the term “owns or licenses.” This amendment blurs the distinction between these terms and makes it unclear how a business will be classified. The application of this regulation will evolve over time but may depend on how businesses choose to structure their information management activities.
At this point, it is too early to know what enforcement actions may be contemplated by Massachusetts’ authorities. To be prudent, a business should assess the scope of its activities and the nature of the data it maintains. This review should examine how personal information is used and accessed, where it is stored, and current security measures. In addition, it is crucial to consider third party relationships and related access to information. Ultimately, a thorough review will likely require the assistance of technology and legal professionals.
The threat from security breaches is real. Further, the danger is often self-made, with more than 80% of breaches resulting from simple oversight and basic human error. These statistics, and the growing web of conflicting state requirements, call out for federal action. Until such time, best management practices suggest the use of the March 1, 2010 deadline under Massachusetts law as an impetus for a proactive review of security and information management procedures.
* John Funk is admitted in New Hampshire, Massachusetts and Vermont. Robert J. Dietel is admitted in New Hampshire. They can be reached at 800-528-1181.