Mass. Data Privacy Law Goes Into Full Effect

The last and most difficult provision of Massachusetts' notorious data privacy law kicks in March 1, putting companies nationwide in the tenuous position of policing their third-party service providers.

The law, enacted in response to TJX Cos.' infamous data privacy breach in 2007 that exposed the private data of some 46 million people, at first required companies to set up strong internal protections for any personal information they may hold on Massachusetts residents. That data can include a person's name in combination with credit card numbers, driver license information, bank account numbers, and other government-issued identifiers. Now the deadline looms for companies to require their third-party service providers, by contract, to implement and maintain similar “appropriate security measures” for that same personal data, according to the law.

In its most basic form, compliance means negotiating an addendum to existing contracts, and revising corporate contract templates to include the language. Many companies are on top of those changes and have been incorporating the language into new and renegotiated contracts since the main provisions of the law took effect two years ago, lawyers say.

“Companies with the more robust compliance programs tend to have things tied up,” says Heather Egan Sussman, a partner at the law firm McDermott Will & Emery's and co-chair of the firm's global privacy and data protection group. The law applies nationwide and even globally, since it applies to companies holding information on Massachusetts-based customers or employees, rather than those that have business operations in Massachusetts.

Exactly what the law expects of companies beyond the contract is still unclear, however. Some say that the language of the statute and regulations, plus some common sense, may be enough.

“There is no requirement in the Massachusetts data privacy law for ongoing monitoring and review of third parties,” Sussman stresses. “If you take reasonable steps to select and retain third parties who are able to comply and have that language in your contract, you should be able to rely on that contractual language.”

Others, though, say that the contract may be only the beginning of a company's duty to protect its sensitive client and employee data. “Just having that phrase”—that a firm will maintain appropriate security measures—“in your third-party contract is not the highest standard,” says Sara Jane Shanahan, a partner at the law firm Sherin and Lodgen in Boston.

Relying on a vendor's size or relative market share may not be enough, either. “Many companies will say, ‘I've hired the biggest guy in town,' but it doesn't hurt them to ask if you have the right to audit, and to ask for their most updated data security policies,” Shanahan says. “Then if you do have a breach, you can point to steps you've taken.”

The duty can be especially tricky for smaller companies, notes John Lacey, a lawyer with the McCormack law firm in Boston and author of the Massachusetts Data Privacy Law Blog. “How is a small business going to oversee, say, Iron Mountain?” he asks, referring to the data storage giant.

“I think we are going to see federal regulation, because the patchwork of state regulations has made it so difficult for companies to comply.”

—Heather Egan Sussman,

Partner,

McDermott Will & Emery

Sussman says she is advising her clients to double-check contracts with their external Web-hosting services, since those firms have seen a rising number of data security attacks. And companies should also make sure that service providers of all types truly are compliant when they say they are.

Cloudlock, a relatively new service that allows companies to track the movement of Google Apps documents within and outside their organization, has gotten a boost in business thanks to the Massachusetts law, says Gil Zimmermann, CEO and co-founder of the data security company. While Cloudlock may allow customers to say they have controls in place, “we don't make them compliant,” Zimmermann says. “There's a whole spectrum of other things they need to have in place.”

Breaking Bad News

When a company does suffer a privacy breach (either its own, or through one of its vendors, it must notify both the affected parties and the Massachusetts attorney general's office, which is enforcing the statute.

BEST PRACTICES

Below are some tips to use when complying with the Massachusetts data privacy law.

(1) Consider a vendor's ability to comply with this law in your selection process.

(2) Request a written data security policy from the vendor, with the understanding you will receive future updates to it as well.

(3) Ask for the right to audit the vendor, considering carefully what types of information you would be seeking and under what circumstances you would exercise the right.

(4) Review vendors' policies annually as part of the regular internal policy review process.

—Alix Stuart

What happens after notification “is anyone's guess,” says Lacey, a former prosecutor, but companies are likely to fare better “if it looks like the firm is in control of what's happening, knows the details of what was lost, and how far and deep the third party went in their investigation.”

In the two years since the law has taken effect, the Massachusetts attorney general has disciplined only two companies for violating the main duty of the law to protect their own customers and employee data, Lacey says. One, pub-owner the Briar Group, paid $110,000 in fines after continuing to use a credit card system that had been hacked even after Briar knew of the breach. The other, Belmont Savings Bank, was fined $7,500 when an employee left an unencrypted back-up computer tape on a desk overnight and the tape was removed by the cleaning service.

While companies adjust to the new realities of the Massachusetts law, state legislators across the country are racing to enact similarly aggressive measures. Forty-six states now have data breach laws, and lawmakers in many of them are actively amending and expanding their statutes.

In a “very bold” move last August, Texas lawmakers went so far as to create a quasi-federal statute, says Sussman, since any company that does business in Texas must notify affected consumers about any data breach that occurs, even if they reside in another state. That change goes into effect at the end of this summer.

OVERSEE SERVICE PROVIDERS

The following information from Massachusetts' data privacy law details information on oversee service providers.

Oversee service providers, by:

1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and

2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that until March 1, 2012, a contract a person has entered into with a third party service provider to perform services for said person or functions on said person's behalf satisfies the provisions of 17.03(2)(f)(2) even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010.

Reasonable restrictions upon physical access to records containing personal information, and storage of such records and data in locked facilities, storage areas or containers.

Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.

(i) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.

Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

Source: Massachusetts Data Privacy Law.

At this point, the best relief for frazzled compliance officers may be a federal data privacy law that sets one standard nationwide. Washington lawmakers have talked about that idea for years, and Lacey is tracking six bills in Congress (three in the House, three in the Senate) that have implications for data privacy standards. “I think we are going to see federal regulation, because the patchwork of state regulations has made it so difficult for companies to comply,” Sussman says.

Five of the six would require companies in all states to maintain data protection programs similar to those mandated by Massachusetts. All of the six, including the Data Breach Notification Act sponsored by Sen. Dianne Feinstein, D-Calif., would require companies to notify customers and employees if their personal data was compromised. Most would place enforcement in the hands of the Federal Trade Commission or state attorneys general.

“When [an attorney] has to dig into 46 state laws for a client with a data breach, it's a lot of time and a lot of money,” Lacey says. “If there was a federal law, [the legal course of action] would probably be cheaper; it would at least be clearer.”

Regardless of how the laws evolve, lawsuits related to data and privacy breaches are likely to keep on coming. Google, Apple, Amazon, and Disney are among the best-known companies that have seen such actions flowing from customers and employees in the past year.

Even relatively low-profile firms are coming under fire. After Stratfor, a subscription-based Website specializing in geopolitical news analysis, lost customer credit card information in a hacking attack last December, a New York customer filed a class-action lawsuit seeking more than $50 million in damages. According to news reports, the lawsuit invoked the federal Stored Communications Act and cited the company's failure to notify customers immediately after the attack.