Massachusetts Data Security Regulations

Written by Cynthia J. Larose and Adam Veness


Last October, a Maloney Properties, Inc. (“MPI”) company laptop was stolen containing unencrypted personal information, including social security numbers, for over 600 Massachusetts residents.  Shortly after the incident, MPI sent letters to customers alerting them of the incident and related data breach.  As a result of that data breach, Massachusetts Attorney General Martha Coakley conducted an investigation into the acts and practices of MPI in protecting the personal information of its customers, as defined by G.L. c. 93H, § 1.  Based on her investigation, Coakley alleged that MPI violated G.L. c. 93H et seq., the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 CMR 17.00 et seq., and the Massachusetts Consumer Protection Act (G.L. c. 93A, § 2) by (a) maintaining personal information on an unencrypted laptop, and (b) failing to follow its own Written Information Security Program, as required by 201 CMR 17.03.

To settle the investigation, MPI entered into an Assurance of Discontinuance with the AG on March 21, 2012.  Pursuant to the Assurance of Discontinuance, MPI has agreed to pay a civil penalty of $15,000, and has further agreed that it will:

  • ensure that personal information is not unnecessarily stored on portable devices, including laptops
  • ensure that all personal information stored on portable devices is properly encrypted;
  • ensure that all portable devices containing personal information are stored in a secure location;
  • effectively train employees on the policies and procedures with respect to maintaining the security of personal information; and
  • perform an audit of its compliance with its Written Information Security Program at least annually.

The Assurance of Discontinuance also requires that, for the years 2012 and 2013, MPI submit the results of its audit to the Attorney General’s office within 14 days of completion.  Given that the audit requirement says “on at least an annual basis,” it is conceivable that the Attorney General’s office could require MPI to conduct additional audits if the results are less than satisfactory.

Interestingly, this settlement has gone unreported by local media.  It is the third breach-related enforcement action by the Massachusetts Attorney General’s office.  In August 2011, the AG reached a settlement with Belmont Savings Bank for $7,500 and in March 2011, the AG reached a settlement with Briar Group, LLC for $110,000.   None of the settlements provide any guidance as to what kinds of reported breaches – or activity that relates to a breach – raise red flags at the Massachusetts AG’s office.    In all cases, however, the data was unencrypted in transit (Briar Group) and at rest (MPI and Belmont Savings).

Important Takeaway

If your business owns, stores, or licenses the personal information of Massachusetts residents, as of March 1, 2010, you must have a written information security program — and that program must be appropriately vetted, implemented with proper training of employees, and it must be revisited from time to time to ensure that it is still consistent with your operations.   Say what you do and make sure that you do what you say.

Contact a member of the Mintz Levin Privacy team for more information related to compliance with the Massachusetts data protection regulations, and for more information related to the legal requirements for when and how you must notify customers of a data security breach.   We’ve written extensively about compliance with the Massachusetts regulations, here.


For further information about the MPI settlement:

Attorney General Press Release

Maloney Properties, Inc. Letter to Affected Customers


Once again, we have evidence that failures to implement the most basic of data security measures can cost real money.

The Massachusetts Attorney General’s office announced a consent order that fines a Boston restaurant group $110,000 and imposes a set of compliance measures that will also carry a price tag.   Despite many headlines trumpeting the “first enforcement action,” this action was not brought by the AG’s office under the Massachusetts data security regulations. It was a consumer protection action brought by the Attorney General under the Massachusetts consumer protection law, 93A. 201 CMR 17.00 certainly played a part in the consent order and the Briar Group is required to implement a written information security plan, and supply a copy to the AG’s office within 14 days of the order.  The standards set out in 201 CMR 17.00 are the framework around which the settlement order is built, but the action was not one to enforce those regulations.   Those are coming.

A copy of the consent order is here –  Briar Signed Consent Judgment – 3-28-11 (3).pdf.

Much has been written and blogged over the last couple of days about the consent order.  But, what should business take away from this?   The retail and hospitality business is particularly vulnerable to data breaches due to the volumes of credit card information that they process every day.   But they are also responsible for dealing with that aspect of their business as a part of doing business.

More after the jump.

Continue Reading Into the Breach – Security Failures Can Cost You

As we’ve discussed here since December (here, here), the Federal Trade Commission has been in a public comment period for its Privacy Framework.  The comment period closed last Friday, and more than 400 comments were filed by individuals, government agencies (both US and international) and industry groups and representatives.   Over the next few days, we’ll review and summarize the comments received.


Written by Stu Eaton

Massachusetts Attorney General Martha Coakley filed a comment letter with the FTC, on behalf of the Attorneys General of fourteen other states[1] (the “States”).  The States’ comment focused on three of the questions raised in Appendix A the Privacy Report regarding: (i) whether companies should provide substantive privacy protections in addition to those set forth in the report; (ii) the scope of the definition of sensitive information and sensitive users; and (iii) whether the FTC should explore additional protections in the context of social media services.

The States’ also argued that any federal laws or regulations protecting consumer privacy should not preempt states from enforcing their own laws and regulations.  As you’ll recall, Massachusetts has one of the toughest set of data security regulations in the country.

Notably absent from the proceedings was the California Office of Privacy Protection, which said it lacked the resources to prepare a comment but, after being contacted by Mintz Levin, explained that it approved of the FTC’s apparent effort to resurrect the forgotten Fair Information Practice Principles that would provide consumers with meaningful choices and more control over personal information by limiting the collection and use of that information.

Details of the AG’s letter after the jump. 


[1]               Attorneys General from the following states were also signatories to the letter: Arizona, Illinois, Indiana, Iowa, Montana, Nevada, New Mexico, New York, North Dakota, Rhode Island, Tennessee, Vermont, Virginia and Washington.

Continue Reading Federal Trade Commission receives large number of public comments

Since March 1, 2010, privacy professionals have been waiting for a data breach that could bring an enforcement action under 201 CMR 17.00, the Massachusetts privacy regulations.   I just spoke with Paul Roberts, editor of, a blog that posted an entry yesterday regarding a breach that could do just that.   Twin America LLC, the parent company of bus tour company CitySights NY, says the credit card details of 110,000 customers were stolen in a Web based attack and suggests it wasn’t following Payment Card Industry guidelines for storing card data.

Continue Reading Data Breach at NYC “Hop-on, Hop-off” Tour Company — 110,000 credit card numbers stolen

On July 13, Mintz Levin will be joined by Sophos, Six Weight Consulting, and MFA Cornerstone Consulting to hold a free compliance workshop focused on both the gaps and overlap of Massachusetts’ data protection regulation 201 CMR 17.oo and the recent updates to federal health and medical data privacy found in the HITECH Act. We’ll have an interactive hands-on workshop that will help you to address some critical questions within your organization:

  • What are my organization and business partner’s obligations?
  • What kind of information do I need to protect and how do identify it?
  • Is data encryption necessary?
  • What is a WISP?
  • What is a data breach and what is my responsibility and liability if I have one?For information or to register to attend the event, which will be hosted by Mintz Levin in our downtown Boston office, please click this link:

In case your data security compliance plan is stuck in neutral, you have questions, or you haven’t started yet…there will be a free (!) breakfast hands-on workshop on Thursday in Tewksbury, MA.

“Massachusetts Data Protection Law: Demystifying the Details” is being sponsored by the Merrimack Valley Venture Forum. The Merrimack Valley Venture Forum has assembled a panel of legal, technology, and process experts to break down the law and give you a clear path to compliance through a hands-on workshop. Panelists include: Cynthia Larose, Mintz Levin, Matt Pettine, MFA Cornerstone Consulting, Nagraj Seshadri, Sophos, and Mike Spinney, SixWeight. Registration through Wednesday afternoon at 5:00 pm at

Bring your questions!

After implementation delays and rule changes, new data protection regulations that are widely considered the most stringent in the nation take effect today. The Massachusetts data security regulations require institutions that hold personal data on Massachusetts citizens to encrypt that information and implement written data protection policies, reports the Boston Globe.

Discussion continues and questions abound. Will this set the bar nationwide as the articulation of what constitutes “reasonable security” for personal information? How should companies handle the varying risk of harm standards when dealing with state laws and federal law, such as the HITECH Act?

At the beginning of the “countdown” to the March 1st effective date of 201 CMR 17.00, we offered some posts with “misapprehensions” and compliance suggestions (see
16 Days to March 1….. and Countdown to compliance with 201 CMR 17.00…..11 days). Here are some questions that have been reoccurring over the last few weeks:

1) What should I be doing about the requirement relating to third party service providers and how does my company get “assurances” that those service providers (like payroll and benefits) are in compliance?

The answer to this will depend upon the kind of access and extent of information that the vendors have. Some companies have created extensive 3rd party/ vendor PI due diligence forms and processes. In the end, all your vendors should provide their own attestation that they are capable of meeting the requirements of 201 CMR 17.00 as part of the vendor review process, and it should be part of the contract. Depending on the situation, targeted risk assessments of vendors may be appropriate, as well as detailed security exhibits attached to contractual agreements. With existing service providers, if the contract is in place by Monday, you will have two years to amend it….but you should be addressing the security safeguard issues now.

2) What about faxes? How can I encrypt those, and is that required under 201 CMR 17,04?

A rather complex answer, but if the fax machine is using the Plain Old Telephone System (POTS to telecom engineers) this is not a “Public Transport” as used in 17.04(3). POTS is a private, switched, 2 party connection. The fax transmission in this case is simply not traveling over a public connection….and does not need to be encrypted nor would the fax machine require an encryption key technology. There are many other concerns with the “process” of sending and receiving faxes, most of these fall under logical or physical access controls, that are required elsewhere in 201 CMR 17.00. One thought of caution, is that there are many FAX systems that are NOT, 100% based on POTS or based on private switched network technology. If your business uses eFax or some other Internet-based form of transmission, that may be going to a traditional fax machine — it’s POTS to me, but an email to you that is traveling over the public network. If you have a concern about the security of PI in a process, then you most likely have something which needs to be locked down and controlled.

3) We have a good handle on the computer system security requirements and the technical issues, including the whole portable device issue, but what about all that paper?

Start with the basics – do you really need to have the PI in paper format, and do you need as much as you have? If you don’t have it, you can’t lose it. Keep track of what is in the file, so missing items will be noticed, and to enable you to comply with data breach notification obligations if the worst happens. Simple things like: use color-coding and labels to indicate the sensitivity of the file; consider whether the original or a copy can be taken, if a copy, track the number of copies and stamp them; physically attaching documents to a folder makes copying/losing items more difficult. Use log-in/out records for the files. Remind employees to keep the records in sight or in a safe location when out of sight – use a briefcase lock if there is one, keep files in the trunk of the car and not on the car seat. The most important step is to make sure the plan is followed and to TRAIN EMPLOYEES. Companies can craft great policies and procedures to handle PI and comply with 201 CMR 17.00. But if employees and third parties are not educated and trained in these policies then compliance with the law is highly unlikely! Training, training, training. Security awareness is a big key to avoiding the unfortunate data breach.