With potential implications for anyone doing business with a Massachusetts resident, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) held a public hearing today concerning the proposed regulation 201 Mass. Code Regs. 17.00, the new Standards for the Protection of Personal Information of Residents of the Commonwealth.  The proposed regulation  represents one of the most far-reaching information security and related compliance requirements in the country.  It mandates a comprehensive written information security plan applicable to any records containing personal information (as defined) of Massachusetts residents.

The purpose of the new regulation is to implement the provisions of Mass. Gen. Laws ch. 93H, Security Breaches, which became effective on October 31, 2007, relative to standards to be met by those who own, license, store or maintain personal information about residents of the Commonwealth.  These safeguards, for both paper and electronic records, are meant to ensure the security and confidentiality of such information in a manner consistent with industry standards, protect against anticipated threats or hazards to the information’s security or integrity, and prevent the unauthorized access to or use of this information in a manner that creates a substantial risk of identity theft or fraud against Massachusetts residents.

“Personal information” is a Massachusetts resident’s first name or initial and last name in combination with any one or more of the following data elements that relate to such resident:  Social Security number; driver’s license number or state-issued identification card number; or financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.  The term “financial account number” is not defined either in Ch. 93H or the proposed regs., and may encompass, for example, any business, insurance company, merchant, health care provider, pension or benefits administrator that maintains an identifiable numbered account of a Massachusetts resident.

The new regulation requires the development, implementation, maintenance and monitoring of the information security program, applicable to any records, both hardcopy and electronic,  containing such personal information, along with access and other controls.  The proposed regulation also details specific computer system security requirements (e.g., use of 128-bit data encryption, firewalls, anti-spyware, audit trails, and access blocks for multiple failed login attempts).  In addition, there must be documented response actions to actual or potential data breaches, and mandatory post-incident review of such events.

The OCABR left the record open for further comments until Friday, January, 25, 2008.