For Immediate Release - November 04, 2009

Patrick Administration's Final Data Security Regulations Filed and Take Effect March 1, 2010; State Received Notice of More than 1 Million Instances of Exposure in Two Years

BOSTON - November 4, 2009 - The Patrick Administration's Office of Consumer Affairs and Business Regulation announced today it has filed final regulations that take effect on March 1, 2010. The regulations will help combat many of the vulnerabilities in personal information security that has led to more than 1 million instances of Massachusetts residents' personal information being exposed in two years.

The regulations focus on protecting personal information by mandating any entity storing or transmitting personal information - a combination of a name along with Social Security number, bank account number, or credit card number - ensure the information be encrypted when stored on portable devices or when transmitted over the Internet.

The new provisions will help combat the loss of personal information, which has included 1,057,560 exposures in the last two years. Gov. Patrick signed an identity theft prevention law that included notification to the Office of Consumer Affairs and Business Regulation of data breaches. In the two years since that provision took effect Oct. 31, 2007, the Office has been notified of 807 breach incidents.

"In two years, Massachusetts residents have had to deal with the personal chaos of lost or stolen personal information more than 1 million times," said Barbara Anthony, the Undersecretary of the Office of Consumer Affairs and Business Regulation. "We hope these regulations will make it harder for information to get into the wrong hands, and lower the number of instances of data being lost or stolen."

The regulations filed with the Secretary of State's office are the final step before the regulations take effect March 1. Businesses and other entities holding personal information must create a written security plan that takes into account the entity's size, nature of business, the kinds of records it maintains, and the risk of identity theft.

On Sept. 22, the Office held a public hearing on amended regulations that were announced in August. After reviewing the testimony from the hearing, the Office made language changes in the final regulations to clarify the deadline for third-party compliance. If an entity uses a third party to handle data, the contract must include safeguard provisions by March 1, 2012. Existing contracts are not required to be updated before March 1, 2012, but new or renewal contracts executed after March 1, 2010, must include the provision.

"We heard testimony from a wide range of sources, and the message was that we have struck the right balance. We created regulations that are protective of consumers without being onerous to businesses," Undersecretary Anthony said. "We will continue our outreach to organizations around the state as we prepare for the March 1 implementation date."

Today, the Office of Consumer Affairs and Business Regulation also released a report detailing data breaches in the two years since notifications to the Office became mandatory for any breach including information from Massachusetts residents. Of the 807 notifications, 746 were reported by businesses, 39 were reported by educational institutions, and 45 were reported by state government.

The report finds that in 495 cases, the breaches were the result of criminal or other unauthorized acts, including the theft of laptops or outside access to databases that may not have been encrypted. The rest of the notifications generally demonstrated poor employee handling of personal information, including transporting sensitive data, or simply putting the wrong document in the wrong envelope or e-mail. You can read the entire report by visiting www.mass.gov/consumer . The breach notification report will be under "Publications & Reports."