A sweeping Massachusetts data security regulation that kicked in on March 1 is prompting companies to seek legal review of how they store and use the personal information of Massachusetts residents.
The regulation defines "personal information" as a name plus a Social Security number, driver's license or other government-issued number, or bank or credit card account number.
Local and out-of-state law firms are jockeying to help companies of all sizes change their procedures to comply with the regulation, which was initially slated to take effect on Jan. 1, 2009, then Jan. 1, 2010.
Holland & Knight's firmwide technology partner, Ieuan Mahony, a Boston intellectual property lawyer, spoke with The National Law Journal about the scope of the regulation and how the firm is helping clients comply with it. The Q&A has been edited for length and clarity.
NLJ: How does the Massachusetts regulation compare with other state requirements?
IM: Almost every state has a notice of security breach statute, which says if you have [customers'] personal information and there's been unauthorized access, you need to tell all the data subjects. The Massachusetts regulation says that, before there's a breach, you need to take care of the personal information. There are other states that have soft requirements that say you ought to have policies and procedures in place to protect [this information]. Apart from Nevada, no other state has regulations at this level of specificity and with these requirements with respect to encryption.
NLJ: Why was the implementation date delayed?
IM: There was a lot of discussion with industry about striking the right balance with the regulation. This last version has cut back a bit on some of the earlier requirements, but it was really industry talking with the regulators.
NLJ: What is enforcement of this regulation going to look like?
IM: Enforcement will be [governed by the state's] security breach statute, which does not allow a private right of action. The attorney general can bring an action against [violators]. The attorney general's office in Massachusetts is pretty into [protecting] personal information and [preventing] identity theft. They're on top of this stuff. That's why we have these regulations. You don't want to underestimate [that]. A private party may be able to sue under a negligence concept, a common law concept outside this statue. [To avoid negligence claims], I need to use reasonable care that harm doesn't come to you, and these regulations set the standards for what's reasonable care You might still have a good remedy to whack me if I'm not protecting your information, but it's not under these regulations.
NLJ: What kind of penalties could companies face for not complying?
IM: The Massachusetts attorney general can seek to obtain a civil penalty of $5,000 for each data violation. It's not clear whether it's per violation or [for each] data subject [individual whose personal information is affected].
NLJ: What is the firm doing to help client companies based in, and outside of, Massachusetts?
IM: We are helping clients get a written information security [program], or a WISP, in place. [Even] more important is to assist the client with business rules about the way employees treat personal information. It's the implementation of the policy that's the more important aspect of getting a compliance program in place. With the implementation, the client will need to drive a lot of those discussions. Outside counsel won't know the [company's] business rules, such as: Where does the information come from? Do you get Social Security numbers? How do you store them? Do you ship them outside the office? Is there a payroll service you shoot personal information back and forth to? Those things the client is going to know, and the attorney is going to ask the hard questions.
NLJ: Are you getting many inquiries from companies outside of Massachusetts?
IM: The vast majority that we're seeing are Massachusetts entities. [As for] clients outside of Massachusetts, although we're talking to them, and a good number are compliant or working diligently towards compliance, the number of non-Massachusetts entities is a lot smaller.
NLJ: The regulation requires companies to contractually mandate that vendors or service providers with access to the regulated information protect the information. Since the regulation applies to any company that enters into such contracts after March 1, and mandates that existing company contracts be changed by 2012, are you helping companies comply with this yet?
IM: At least [to vendors] in Massachusetts, a lot of letters are going out asking if they are in compliance or capable of being in compliance and letting them know about the grace period.
NLJ: Just before the new effective date of the regulation, the firm sent out a client alert noting that its offering a fixed-fee compliance package. Why did the firm decided to offer this?
IM: Because the regulation applies broadly, including to small businesses and mom-and-pop stores, the thought was to put together baseline documents and additional navigational requirements so clients can self-manage a good portion of that work. Along with that, [there's] a level of attorney consultation.
[The fixed fee package] is geared towards smaller size entities with less complex data security issues, not a larger entity with personal information stored in different departments. For example, small educational institutions like small colleges and private high schools. There's little more complexity, but they're not huge, and their fees need to be smaller [because they're not-for-profit].
The Federal Trade Commission's red flags rules, which mandate that creditors report possible identity theft, have a similar kind of really broad scope. It's going to pick up a huge amount of entities, and its structured in a similar way. The WISP regulations say the amount of compliance effort is going to be relative to size and complexity of your business. It's a sliding scale. The effort on the attorney end is to provide the attorney services and legal advice at the right level.
Sheri Qualters can be contacted at squalters@alm.com.
