After a seemingly unending series of delays and modifications, Massachusetts's data protection regulation finally went into effect on March 1, 2010. A copy of the regulation can be obtained here. Unlike the data protection laws of most states, the Massachusetts regulation requires holders of data to put in place a comprehensive set of written measures to protect confidential information (also known as a "WISP," or “written information security policy”), and to update their WISPs on an annual basis. The required contents of the WISP are outlined in the regulation, and cover topics ranging from encryption to vendor agreements.
Thumbnail: The new regulation applies to all persons and companies who either own or license personal information about residents of Massachusetts, and applies both to electronic and paper records. While the opening clause of the regulation appears to limit its coverage to "customer information" and "consumers," the balance of the regulation does not distinguish between information about customers, consumers, employees, or other categories of persons. If past experience with the administrative process in Massachusetts is any guide, it will be a long and winding road before we get any formal guidance as to the regulation’s scope.
Takeaway: Irrespective of Massachusetts's new regulation, it is in the interest of every company that possesses confidential personal information to have a written security policy to protect confidential information from inadvertent disclosure and from disclosure by intentional interception or theft. The Massachusetts regulation provides a useful set of guidelines as to what should be in that policy.
Here are some reasons to pay attention:
First, companies can face substantial liability for data disclosures, including by consumer class actions and enforcement actions by regulators. A written WISP that is implemented and followed can be important as a defense against such claims, including claims under theories of negligence.
Second, many companies make information security promises on their web pages, and failure to back up those promises with written protocols and standards can lead to FTC complaints and penalties, among other unpleasant consequences.
Third, a written policy is probably the only practical way to effectively control the use and dissemination of confidential information within an organization of any size and to avoid, to the fullest extent possible, the legal and public relations nightmare of a data breach.
Finally, the measures set out in the WISP ought to provide a company with early warnings so that it can promptly notify regulatory agencies, law enforcement, and consumers whose information may have been compromised.
At least for now, Massachusetts has indicated that it will only audit a company for compliance with the regulation if the company notifies the state of a security breach (as it is required to do), or if a security breach as to which the State was not notified hits the press. While a potential data security breach presents inherent public relations and legal risks for a company, having a solid WISP and a good faith effort to implement it is the first and best line of defense.