For Immediate Release - September 22, 2008

Patrick Administration Issues Comprehensive Identity Theft Prevention Regulations & Executive Order

New Data security breach report shows ongoing risks for consumers, need for businesses to improve security standards

BOSTON- September 22, 2008 -In keeping with the Patrick Administration's commitment to protecting consumers, the Office of Consumer Affairs and Business Regulation (OCABR) last Friday issued a comprehensive set of final regulations pdf format of 201 CMR 17.00 Standards for the Protection of...
establishing standards for how businesses protect and store consumers' personal information.

Additionally, Governor Patrick has signed an executive order pdf format of Executive Order 504
requiring all state agencies to immediately take steps to implement security measures consistent with the requirements established by OCABR's regulations for private companies. The order calls for the adoption of uniform standards across government that protect the integrity of personal information and further the objectives of the identity theft prevention law.

"Identity theft can have significant financial repercussions for consumers whose personal information is compromised," said Governor Patrick. "This executive order, in conjunction with the new regulations, demonstrates that we put a premium on consumer protection and are holding ourselves to the same high standards we now expect private companies to follow."

Since the Governor signed the identity theft prevention law last August, OCABR has received reports of nearly 320 incidents that, together, have compromised or threatened to compromise the personal information of 625,365 Massachusetts residents. Sixty percent of the cases involved criminal and/or unauthorized acts, with a high frequency of laptops or hard-drives being stolen. The remainder of the breaches resulted from employee error or poor internal handling of sensitive information. Approximately 75% of the reported incidents involved data that was not encrypted or password protected. To review the report pdf format of notificationsrpt20080918.pdf
, released by OCABR today, please visit

"This report stands as further evidence of exactly why we need a set of comprehensive standards that ensure businesses are taking practical steps to safeguard their customers' personal information," said OCABR Undersecretary Dan Crane. "The guidelines are reasonable in terms of cost and scope and promise to give consumers greater peace of mind that every effort is being made to minimize their exposure to identity theft and fraud."

Recognizing that the majority of breaches involve the theft of portable devices and that data encryption significantly neutralizes consumer risk if information is lost or stolen, OCABR's regulations call on businesses to encrypt documents sent over the Internet or saved on laptops or flash drives; encrypt wirelessly transmitted data; and to utilize up-to-date firewall protection that creates an electronic gatekeeper between the data and the outside world and only permits authorized users to access or transmit data, according to preset rules.

"These sensible measures are already widely-used by the multitude of Massachusetts companies that take protecting customers' personal information seriously," said Crane. "Instituting these procedures will serve to protect not only the consumer but also the company from sustaining financial loss or damage to its reputation."

In addition to requiring that OCABR set standards for how businesses safeguard personal information and that companies notify customers and the state when breaches occur, the identity theft prevention law also gives consumers the ability to place a security freeze on their credit report and access to police reports. Massachusetts residents can lock their credit report in order to prevent identity thieves from establishing credit in their names. The law caps fees to place, lift or remove a freeze at $5. Identity theft victims can now also obtain a copy of their police report from any law enforcement office. Victims need a copy of their police report to put their finances back in order and to qualify for a free security freeze.

The regulations are set to take effect on January 1, 2009. Prior to implementation, companies will be required to conduct internal and external security reviews and complete employee training. OCABR will be meeting with local chambers of commerce throughout the fall to educate businesses about the new requirements. Additional provisions of the regulations include:

  • Develop a security program, designate an employee to manage it, and discipline employee violators;
  • Assess internal and external security risks and the effectiveness of current safeguards, upgrading as necessary;
  • Train employees regarding security;
  • Institute security policies for employees that meet certain specified standards;
  • Prevent terminated employees from gaining access to personal information;
  • Ensure that service providers are capable of protecting personal information, contractually bind them to do so, and have them certify that they have a compliant written information security program.
  • Limit the amount of personal information collected, how long it is kept, and restrict access on a need-to-know basis;
  • Identify records containing personal information, or treat all records as if they did;
  • Regularly monitor employee access to personal information;
  • Review security measures annually, take corrective action when necessary and document action taken in response to security breaches; and
  • Restrict physical access to records containing personal information.

Additional Elements for Electronic Records:

  • Establish user authentication protocols that include control of user IDs and a secure method of assigning passwords (including prohibiting use of vendor-supplied default passwords) or other unique identifiers such as token devices;
  • Make sure password location does not compromise the security of the data it protects, restrict access to active users only and block access after multiple unsuccessful attempts;
  • Restrict access to personal information on a need-to-know basis;
  • Periodic system monitoring for signs of unauthorized use or access;
  • Reasonably up-to-date malware protection and virus definitions.