Businesses Nationwide Continue to Grapple With Burdensome Massachusetts Data Privacy Laws

Businesses Nationwide Continue to Grapple With Burdensome Massachusetts Data Privacy Laws

By David M. Governo and Corey M. Dennis

There were over 1,800 data security breaches affecting more than 3.2 million Massachusetts residents between November 2007 and September 2011, according to a recent report from the Massachusetts Office of Consumer Affairs and Business Regulation. These incidents, most of which were reported by companies in the health care, financial services and retail industries, involved both malicious hacking and unintentional breaches.

Data security breaches result in substantial monetary and reputational losses for businesses. The best way for a company to protect itself from these costs and liabilities is to establish policies and safeguards to reduce the likelihood of a breach. At a minimum, it is essential to comply with applicable data privacy laws. Achieving this minimum level of compliance, however, is a difficult task and does not eliminate the risk of a data security breach. Thus, cyber liability insurance is quickly becoming a popular way for companies to mitigate their financial exposure.

Overview of Massachusetts Data Privacy Laws

The Massachusetts data privacy regulations (201 CMR 17.00 et seq.) became effective in March 2010 and are among the most burdensome in the country. The regulations were enacted to combat the increased threat of data security breaches following several high-profile incidents, most notably the TJX Companies breach, which resulted in 94-million customer accounts being compromised and a multi-billion dollar loss to the company, including fines, legal fees, notification expenses and brand impairment. The regulations apply to every “person” or entity, including businesses both inside and outside of Massachusetts, holding, processing or otherwise accessing personal information of Massachusetts residents. See 201 CMR 17.02. ¹

The regulations require such businesses to establish physical, administrative and technical information security measures to safeguard personal information and to develop a “Written Comprehensive Information Security Program” (WISP) outlining those measures. Businesses must also take reasonable steps to ensure that their third-party service providers (e.g., payroll providers, outsourcers, contractors) comply with the regulations, and must require such service providers to implement security measures by contract. Further, all records containing personal information transmitted over public or wireless networks, or stored on laptops or other portable devices, must be encrypted. See 201 CMR 17.03 & 201 CMR 17.04. The requirements of encryption and of ensuring third-party service provider compliance have been some of the more challenging aspects of the laws.

The regulations adopt a risk-based approach to information security, which takes into account the size, scope and resources of the business, as well as its need for security. A company’s compliance obligations do not end once the security measures are implemented; rather, the regulations require regular monitoring and reviewing of security measures, at least annually, to ensure they are preventing unauthorized access to personal information. See 201 CMR 17.03. Failure to comply with the regulations could result in penalties of up to $5,000 for each violation affecting a Massachusetts resident, along with injunctive relief, attorneys’ fees and the reasonable costs of investigation and litigation. See Mass. Gen. Laws ch. 93H § 6; Mass. Gen. Laws ch. 93A § 4.

Massachusetts has enacted two additional laws designed to protect the personal information of its residents: Mass. Gen. Laws ch. 93H requires businesses, in the event of a data security breach, to give notice to any affected Massachusetts residents, as well as to the Attorney General’s Office and the Office of Consumer Affairs and Business Regulations. Mass. Gen. Laws ch. 93I requires any business disposing of documents or electronic media containing personal information to redact, shred or otherwise destroy the records so that personal data cannot practicably be read or reconstructed.

Data Privacy Laws of Other States

Massachusetts is not alone in enacting laws governing data privacy and security. Over the past several years, 46 of the 50 states have enacted data security breach notification laws. The data privacy laws of California and Rhode Island, for example, require businesses holding unencrypted personal information of state residents to implement “reasonable security procedures and practices appropriate to the nature of the information” and require by contract third parties to whom they disclose such information to implement those safeguards. Cal. Civ. Code § 1798.81.5; R.I. Gen. Laws § 11-49.2-2.² Further, in the event of a security breach involving such information, the laws of both states require notification to affected residents “in the most expedient time possible.” Cal. Civ. Code § 1798.82; R.I. Gen. Laws 11-49.2-3.

Under Connecticut’s data privacy laws, any business holding personal information must safeguard it to prevent misuse by third parties, and any business that collects Social Security numbers in the course of its business must create a “privacy protection policy” establishing safeguards for those Social Security numbers. See Conn. Gen. Stat. § 42-471.³ The laws also require those doing business in Connecticut to disclose any security breach involving unencrypted personal information to state residents “without unreasonable delay.” Conn. Gen. Stat. § 36a-701b.

A company’s compliance with its own state’s data privacy laws will not excuse it from complying with the laws of other states in which it does business. Thus, it is advisable for companies to establish policies and safeguards complying with the most stringent applicable data privacy laws, which in many cases—particularly for businesses operating in the Northeast—will be the Massachusetts data privacy laws. There are also a host of other industry-specific data privacy laws with which many U.S. businesses must comply, including the Health Insurance Portability and Accountability Act (applicable to health care providers and certain others with protected health information), the Gramm–Leach–Bliley Act (applicable to financial institutions), the federal Red Flags Rule (applicable to financial institutions and certain other creditors), the Payment Card Industry Data Security Standard (applicable to businesses handling credit and debit card information), and the European Union Data Privacy Directive (applicable to those doing business in Europe).

Recent Data Security Breaches

Data security breach incidents are now making the news headlines on nearly a daily basis, and there is a growing trend of active enforcement by governmental authorities. Recent examples include the following:

-  In May 2012, a Massachusetts hospital agreed to pay $750,000 to settle a Massachusetts Attorney General enforcement action based on a data breach involving the compromise of over 800,000 consumers’ protected health information.

-  In June 2012, a LinkedIn® security breach involving the theft of more than six million customer passwords was reported. The breach resulted in the filing of a class action lawsuit in the U.S. District Court for the Northern District of California seeking over $5 million in damages. 

-  In March 2011, a major Boston restaurant group agreed to a $110,000 settlement in connection with a Massachusetts Attorney General enforcement action relating to a breach that put tens of thousands of customers’ personal information at risk.

-  In June 2012, the FTC filed a complaint against a large hotel chain in the U.S. District Court for the District of Arizona, charging that it repeatedly failed to safeguard consumers’ personal information, which resulted in the compromise of several hundred thousand consumers’ payment card data and $10.6 million in fraud loss.

-  In June 2012, a subscription-based provider of geopolitical analysis agreed to settle a class action lawsuit filed in the U.S. District Court for the Eastern District of New York— which was based on a hacking breach that resulted in thousands of customer credit cards and hundreds of thousands of subscriber email addresses being published—for an estimated $1.75 million (based on the terms of the proposed settlement).

-  In June 2012, the U.S. Department of Health and Human Services reported that the Alaska Department of Health and Social Services (the state’s Medicaid agency) agreed to settle potential violations of the HIPAA Security Rule (governing protection of electronic health information) for $1.7 million.

While large companies, particularly those in the health care, financial services and retail industries, hold significant amounts of personal information that must be safeguarded, smaller businesses are not immune from data security breaches. A recent Wall Street Journal® article reported that the majority of worldwide data breaches last year involved companies with 100 or fewer employees, and explained that smaller businesses, due to their limited resources and budgets, are particularly vulnerable to cyber theft.

Enforcement of data privacy law violations is likely to increase in the future. In fact, the National Association of Attorneys General, comprised of the attorneys general of every U.S. state (as well as the District of Columbia and several U.S. territories), recently announced a new initiative entitled “Privacy in the Digital Age,” which will explore ways to protect online privacy and manage the risks associated with data breaches and emerging technologies. In light of these trends and developments, it is clear that compliance with applicable data privacy laws is not only good business, but also an essential obligation of every company today.

Biographies:

David M. Governo is the founding partner of Governo Law Firm LLC, a 17-attorney law firm in Boston, Mass. For over three decades, he has advised companies on a range of business, risk management and compliance issues. He has also defended companies in complex litigation, including toxic tort, environmental, product liability, indoor air quality and insurance coverage claims. He has attained the highest Martindale-Hubbell’s® AV® rating, is an active member of the Federation of Defense and Corporate Counsel, and has been voted a New England Super Lawyer for many years.

Corey M. Dennis practices complex litigation and dispute resolution at Governo Law Firm LLC. He has defended and advised companies in business litigation, product liability, toxic tort, employment and professional malpractice matters. He also has expertise in data privacy– and cyber liability— related matters, and advises businesses on compliance with data- privacy laws, including the Massachusetts data privacy regulations (201 CMR 17.00 et seq.) and the Massachusetts security breach notification law (Mass. Gen. Laws. ch. 93H). He has published numerous legal articles on civil litigation, social media, employment law, toxic torts and other subjects.

¹“Personal information” is defined as a Massachusetts resident’s first name (or initial) and last name, in combination with the resident’s: (1) social security number; (2) driver’s license number or state-issued ID card number; or (3) financial account number or credit/debit card number. See 201 CMR 17.02.

²The definition of “personal information” under the Rhode Island law is similar to that under the Massachusetts law, but the definition under the California laws is broader in that it includes medical information, and for purposes of California’s data security breach notification law, health insurance information. See R.I. Gen. Laws § 11-49.2-5; Cal. Civ. Code § 1798.81.5; Cal. Civ. Code § 1798.82.

³“Personal information” is broadly defined as including, but not limited to, an individual’s: Social Security number, state identification number, account number, credit or debit card number, passport number, alien registration number and health insurance identification number. See Conn. Gen. Stat. § 42-471(c).