jump to navigation

Massachusetts data privacy law, outwards and upwards September 28, 2011

Posted by Brandon in Tenet Forum - The Law.
Tags: , , , , , ,

Last week, Massachusetts Attorney General Martha Coakley announced that she may be investigating Apple Inc. for breaches of personal data laws in Massachusetts, and is otherwise stepping up enforcement.  With 480 reports of data breaches this year, Coakley has estimated that 1 in 3 Massachusetts residents are victims of personal data breach.  Her comments leads some to believe what some may consider an obscure law will be enforced not just in Massachusetts, but nationwide.

In 2007, Massachusetts enacted a new law in Chapter 93H to protect security breaches of personal data.  Under the law and its accompanying regulations, anyone who owns or licenses personal information of Massachusetts citizens must develop a plan to protect that personal data, report security breaches, and dispose of personal information.  Ostensibly, this means that any company in any jurisdiction, worldwide, may breach the law if they maintain accounts containing personal data of Massachusetts’ residents.

Chapter 93H was spurned on in part by a major data breach at the Massachusetts company TJX, in 2007.  In that incident at least 45.7 million credit and debit card numbers were stolen by hackers who accessed the TJX computer systems.  However, the regulations promulgated under Chapter 93H did not go into effect until March 2010, and the first fine was not issued until a year later.

The Massachusetts regulations for the data protection laws, 201 CMR 17, sought to change the conception of personal data for the commonwealth, and are written to be technology neutral.  The law is enforced by the Massachusetts Attorney General’s Office, and there is no private right of action under Chapter 93H. Katz v. Pershing, No. 10-12227-RGS, at 9 (D. Mass. August 23, 2011).  This lack of a private right of action in Chapter 93H may be to blame for a lack of enforcement, as public resources have been strained since the laws went into effect.  Nonetheless, the regulations are prescriptive rather than reactionary to illegal conduct by requiring companies to draft and maintain a “written information security plan”, or a WISP.

Under a company’s WISP, there must be procedures for how employees access and use client’s personal information, and a specific description for how personal information will be protected.  “Personal Information” is defined as the first and last name of the Massachusetts citizen, combined with a social security number, credit card number, account number or state ID number.  It is not clear at this point whether numbers for documents such as rental applications are considered personal information, or if  personal information must be protected after the person is deceased.

Liability for breach of the Massachusetts data protection laws extends to contractors and agents of the company, and penalties may be severe, extending to each and every breach.  Where breaches accumulate, the damage awards can be high.  For example, the Briar Group, a conglomerate of Boston area restaurants and taverns, settled for $110,000 with the government last year.  If you are a company which handles personal data, it may be advisable to keep detailed and clear records of your compliance with the law, including your procedures for an internal breach and reporting mechanisms.  Other solutions may include encrypted emailing with customers, security assessments, policy development and employee trainings.

Some commentators note that a private right of action may exist for breaches of data privacy under Chapter 93A as an unfair and deceptive trade practice.  Outside Massachusetts, while there may be practical enforcement and jurisdictional issues with policing Chapter 93H and 201 CMR 17, Coakley could be signaling that her office will bring the issue to the courts.  Her comments should signal companies both in and outside Massachusetts to tighten up their privacy policies.

Do you agree or have other points on this topic?


1. iPhone 4S’ Siri and EU privacy law « Atrilife - November 8, 2011

[…] the courts from further enforcing privacy rights.  Fortunately, individual states such as Massachusetts have taken the lead in addressing privacy concerns through regulation of the use and collection of personal […]

2. Massachusetts Data Protection Law to Include Third Parties as of March 1 « NetSecurityIT - January 27, 2012

[…] Massachusetts data privacy law, outwards and upwards (atrilife.wordpress.com) […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: