United States: New Massachusetts Data Security Law And Regulations - Comprehensive Information Security Plan Required Before March 1, 2010

Last Updated: February 12 2010
Article by Catherine M. Anderson and Jeffrey D. Collins

As many of you are aware, The Commonwealth of Massachusetts has adopted a new data security law, and regulations thereunder (the "Regulations"), intended to protect its residents from identity theft. While the new law primarily addresses the required response by a company which is subject to an identity theft (prompted by the TJX data breach), the Regulations also set forth measures that businesses, including investment advisers and private fund managers, located in Massachusetts or elsewhere must take to safeguard the personal information of Massachusetts residents. Such measures include the adoption of a comprehensive information security program. While many other states have adopted information security regulations, the requirements set forth in the Regulations have been recognized as some of the most detailed and comprehensive requirements in the country. Final regulations were filed by the Massachusetts Office of Consumer Affairs and Business ("OCABR") on November 4, 2009 and the Regulations principally become effective on March 1, 2010. A full text of the Regulations may be found at the Massachusetts OCABR's website. This memorandum is intended to inform investment advisers and private fund managers of how the Regulations will impact them and what they need to do to comply.

1. To whom do the Regulations apply?

The Regulations apply to any person or business that owns or licenses "personal information" of a Massachusetts resident, including registered and unregistered investment advisers and private fund managers with Massachusetts clients, investors or employees. If you are an SEC registered investment adviser with Massachusetts clients, investors or employees, then you must also comply with these Regulations even though you are already complying with Regulation S-P.

The investment adviser/fund manager does not have to be located in Massachusetts in order to be required to comply with the Regulations. If you are an investment adviser (either registered or unregistered) or fund manager located outside of Massachusetts then you must comply with these Regulations if you have investors or clients located in Massachusetts. The Regulations define "personal information" as a person's first name and last name or first initial and last name in combination with that person's social security number, driver's license number (or other state-issued identification number), or financial account number (or credit or debit card number with or without any required password, PIN etc.) and includes personal information of both your investors/clients and employees. As a practical matter, every investment adviser and fund manager is in possession of "personal information." Personal information does not include information that is lawfully obtained from publicly available information or from federal, state or local government records lawfully made available to the general public.

2. What do the Regulations require?

The Regulations require that every person or business that has the "personal information" of a Massachusetts resident develop, implement and maintain a "comprehensive information security program ("CISP") that is written in one or more readily accessible parts" by March 1, 2010. In practice, this will mean that you will need to review and update your existing privacy and data protection policies to be compliant with the Regulations and adopt in writing a CISP. You also need to train your employees with respect to such policies. The information security program must be reasonably consistent with industry standards and must contain administrative, technical, and physical safeguards to protect the personal information of Massachusetts residents.

The Regulations require a program that is tailored to your business. The Regulations set forth a list of elements that every CISP must include (see the Appendix to this memorandum).

Some elements of your CISP can be included in your compliance manual but matters pertaining to your computer system security requirements or which would otherwise assist a potential violator should be kept confidential to those employees who are required to know the information to carry out their roles. We also recommend that you have a summary of your CISP available as a stand alone document that may be provided to your investors and clients (upon request) during any due diligence processes, or to regulators in an exam.

3. How do I develop a comprehensive information security program?

Developing an information security program requires a careful assessment of your business's needs and may not necessitate a complete overhaul of your current security methods. We recommend you first review the elements required to be included in the program as set forth in the Appendix. You may also find it helpful to review the checklist prepared by the Commonwealth of Massachusetts Office of Consumer Affairs and Business Regulation here (www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf). We have also developed a guidebook to developing a CISP which you can download here (http://tinyurl.com/yg76bwg ). Once you have developed your draft CISP, please send it to us and we would be happy to review it for compliance with the Regulations.

4. What are my obligations to verify that any third-party service providers I retain are also protecting the personal information of Massachusetts residents?

In many cases, you may be providing certain third-party service providers (for example, fund administrators or banks), the personal information of Massachusetts residents. The Regulations require that you take reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information in a manner that complies with the Regulations and any applicable federal regulations.

This would likely require you to engage in some level of due diligence with respect to service providers who have access to "personal information" to determine what data security measures they have in place, and to obtain representations with respect to such measures. You should also check that your third-party service provider has in place adequate insurance in the event of a data/security breach. You should review their "general liability" policy to ensure that it does not have an exception for liability due to data breach, and whether a separate "cyber and data security" policy needs to be in place.

Under the Regulations, you must also require such third-party service providers by contract to implement and maintain appropriate security measures for personal information. There is a grandfather provision that deems any contract with a service provider entered into before March 1, 2010 to be in compliance even if it makes no reference to data protection. The grandfather provision expires March 1, 2012, however, so any contract regardless of when signed must be brought into compliance by such date. Although not required by the Regulations, we recommend that you receive an initial certification from your third-party service provider as to compliance with the Regulations which you would then require such provider to update on a regular (at least annual) basis.

5. What are the Computer System Security Requirements in the Regulations?

Your CISP will need to include the establishment and maintenance of a security system covering your computers (including any wireless system). The most burdensome requirement is likely to be the requirement of encryption of all personal information stored on laptops or other portable devices and the encryption of all transmitted records and files containing personal information that will travel across public networks and encryption of all data containing personal information to be transmitted wirelessly. You should review the means of delivery of your subscription agreements or other documents containing "personal information" to your administrators (and vice versa). In addition, the security system needs to include "secure user authentication protocols" including control of user IDs, a reasonably secure method of assigning passwords, control of data security passwords, restricting access to active users, and blocking access to user identification after multiple unsuccessful attempts. You also need to ensure that you have "secure access control measures" in place that restrict access to records and files containing personal information to those who need such information to perform their jobs. You will need to monitor your systems for unauthorized use or access to personal information and ensure that you have up-to-date firewall protection and operating system security patches together with reasonably up-to-date malware protection, patches and virus definitions. It is likely that for many investment advisers and fund managers these computer system security requirements will already be in place, but they should be memorialized in the CISP. The CISP also needs to include education and training of employees on the proper use of the computer security system and the importance of personal information security.

6. How must I manage a breach of data security in light of Regulations?

The Regulations, in summary, define a "breach of security" as an unauthorized acquisition or unauthorized use of (i) unencrypted data or (ii) encrypted electronic data and the confidential process or key needed to defeat the encryption. To be a "breach of security" the acquisition or use must also create a substantial risk of identity theft or fraud concerning a Massachusetts resident.

A breach of data security can occur in several ways, the most common being the theft or loss of computer hardware, the misuse of company information by an employee, or inadvertent disclosure by an employee (for example, sending an email with the wrong attachment).

Under the Regulations, a business must document responsive actions taken in connection with any incident involving a breach of security and conduct a mandatory post-incident review of events and actions taken, if any, with a view to making any needed changes in business practices relating to protection of personal information. Further, under recently enacted laws in Massachusetts, the business is subject to a notification obligation that it must fulfill "as soon as practicable and without unreasonable delay." Specifically, it must notify the affected individuals of the date of the breach, the steps that have been taken or will be taken to deal with the breach, the individual's right to obtain a police report, and instructions for the individuals to request a credit report security freeze. It must also notify the Massachusetts Attorney General and the Director of the Consumer Affairs and Business Regulation of the date of the breach, the plans to deal with the breach, and the number of people affected by the breach.

Other states have data security regulations that have different notification requirements. You should consult with us to determine the correct course of action if a data breach occurs and you have clients/investors in multiple states.

7. Do the Red Flags Rules apply to investment advisers?

The FTC, FDIC and other federal regulatory authorities adopted the Red Flags Rules in January 2008 in response to the enactment of the Fair and Accurate Credit Transactions Act, 15 U.S.C. § 1681. The Rules requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs (i.e., "red flags") of identity theft in their day-to-day operation and to mitigate the potential harm caused to consumers. The Rules have been in effect for banks, credit card companies and traditional financial institutions since November 1, 2008. However, there have been delays in enforcement of the broadest of the Red Flags Rules, as set forth in 16 C.F.R. Part 681, which apply to "creditors." In 2008, the FTC caused considerable controversy by construing the term "creditor" to apply to any business that sells goods or services now and bills its customers later. Based on this reasoning, conceivably it is possible that the Red Flags Rules could be deemed to apply to investment advisers or private fund managers who charge their management fees in arrears. It should be noted that attempts have been by professional groups to limit this broad interpretation of the definition of "creditor." The American Bar Association, for example, was successful in obtaining a judgment that lawyers were exempt from the Red Flags Rule and the American Institute of Certified Public Accountants is also currently seeking summary judgment on this issue (before the same judge that decided the ABA case). At this time, however, we are recommending that investment advisers and fund managers take a conservative approach and comply with the Red Flags Rules because the requirements are not onerous and investment advisers and fund managers could integrate a program into the adoption of a CISP.

The FTC has repeatedly postponed the original November 1, 2008 deadline for businesses swept into the broad FTC definition of "creditor," most recently until June 1, 2010.

The FTC has released a "do-it-yourself prevention program" for businesses that have a low risk of identity theft, "such as businesses that know their customers personally," which may be the case with many investment advisers and fund managers. You can view the prevention program here (www.ftc.gov/bcp/edu/microsites/redflagsrule/RedFlags_forLowRiskBusinesses.pdf).

According to the FTC, the June 1, 2010 deadline should give "low-risk" businesses an opportunity to use the FTC prevention program to develop a compliant program containing the elements set forth below. The basic elements of a compliant identity theft prevention program include:

  • The appointment of an identity theft / information security coordinator
  • Procedures to identify Red Flags and warning signs of identity theft and security risks
  • Procedures for responding to Red Flags that have been detected
  • An effective training program to educate staff on how to recognize and respond to Red Flags
  • Ongoing oversight and monitoring of the identity theft prevention program.

We will continue to monitor the application of the Red Flags Rules to investment advisers and private fund managers and provide you with any updates.


Summary of Minimum Standards of Comprehensive Information Security Program

The following is an excerpt from the Regulations stating the minimum standards which every information security program must meet. For updated information, please refer to the Regulations (201 CMR 17.00) which may be found at the Massachusetts Office of Consumer Affairs and Business Regulation's website.

17.03 Duty to Protect and Standards for Protecting Personal Information
Every comprehensive information security program shall include, but shall not be limited to:

(a) Designating one or more employees to maintain the comprehensive information security program.

(b) Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information; and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting identified risks, including but not limited to: (i) ongoing employee (including temporary and contract employee) training; (ii) employee compliance with policies and procedures; and (iii) means for detecting and preventing security system failures.

(c) Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises.

(d) Imposing disciplinary measures for violations of the comprehensive information security program rules.

(e) Preventing terminated employees from accessing records containing personal information.

(f) Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations;

(g) Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that until March 1, 2012, a contract a person has entered into with a third party service provider to perform services for said person or functions on said person's behalf satisfies the provisions of 17.03(2)(f)(2) even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010.

(i) Reasonable restrictions upon physical access to records containing personal information, and storage of such records and data in locked facilities, storage areas or containers.

(j) Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.

(k) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions