Massachusetts Information Security Regulations Take Effect on March 1, 2010

Posted on February 23, 2010

After several delays and revisions, the Massachusetts information security regulations, entitled "Standards for the Protection of Personal Information of Residents of the Commonwealth," will take effect on March 1, 2010. The regulations apply to entities that own or license personal information about Massachusetts residents. "Personal information" is defined as a combination of a resident's first and last name and Social Security number, driver's license or state ID number, or financial account number or payment card number that permits access to the individual's financial account.

The regulations require entities to develop, implement and maintain a written, risk-based information security program that takes into account the entity's size, the nature of its business, the types of records it maintains and the risk of identity theft posed by the entity's operations. Also set out in the regulations are numerous administrative, technical and physical safeguards that the required information security program must include.

Finally, the regulations require covered entities to take steps to select and retain service providers that are capable of appropriately safeguarding personal information. Covered entities must contractually require their service providers to safeguard personal information in accordance with

the Massachusetts regulations and applicable federal requirements, provided, however, that service provider contracts entered into no later than March 1, 2010, are exempt from complying with this requirement until March 1, 2012.

In previous blog posts, we had reported that the Standards for the Protection of Personal Information of Residents of the Commonwealth have been the subject of much commentary and a series of amendments as regulators seek to address concerns expressed by businesses over the stringent and specific nature of the regulations. The most recent round of amendments was announced August 17, 2009.

View the Massachusetts regulations.

FTC Privacy Report Emphasizes Privacy by Design, Individual Control and Transparency

Posted on March 27, 2012

On March 26, 2012, the Federal Trade Commission issued a new privacy report entitled "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers." The report charts a path forward for companies to act in the interest of protecting consumer privacy.

In his introductory remarks, FTC Chairman Jon Leibowitz indicated his support for Do Not Track stating, "Simply put, your computer is your property; no one has the right to put anything on it that you don't want." In later comments he predicted that if effective Do Not Track mechanisms are not available by the end of 2012, the new Congress likely would introduce a legislative solution.

The FTC's privacy framework focuses on three principles (privacy by design, simplified consumer choice and transparency), and provides steps companies can take to implement them. These principles are reflected in recent FTC consent orders entered into with Google and Facebook, and they mirror similar requirements in the European Commission's proposed privacy regulation.

The simplified choice principle builds on the preliminary 2010 report which excluded five categories of "commonly accepted" information collection and use practices. Instead, the final report took a modified approach that relies on the context of the transaction. This gives companies greater flexibility but requires them to assess the context of the interaction. This furthers the need for a company to have a comprehensive program.

The FTC has indicated that its principles should facilitate global interoperability: they are consistent with both the APEC Privacy Framework and the OECD guidelines, and the privacy by design principle specifically is reflected in forthcoming guidance from Canadian privacy authorities. Privacy by design requires implementation of privacy protections in all aspects of a company's business operations, which has been a key element of the Centre for Information Policy Leadership's work on accountability. Commonly accepted information collection and use practices were first articulated by the Business Forum on Consumer Privacy.

The FTC's report recommends that Congress act in three areas, calling for baseline privacy legislation and renewing the call for legislation to address issues surrounding data security and the activities of data brokers. The report also identifies five ways in which the FTC intends to promote the framework's implementation through policymaking in 2012, calling on the business community to join the Commission in its efforts to:

  • Work with browser makers, the Digital Advertising Alliance and the World Wide Web Consortium to complete work started on a Do Not Track solution.
  • On May 30, 2012, convene a workshop to explore how to make privacy disclosures for mobile applications short, effective and accessible.
  • Encourage data brokers to create a centralized website that identifies data brokers and describes the access rights and other choices they offer consumers.
  • In late 2012, host a workshop to consider issues surrounding large platform providers that track consumers' online activities (e.g., ISPs, operating systems, browsers, social media). A senior FTC staffer indicated that these providers' ubiquitous information collection practices create privacy concerns that cannot effectively be managed by consumer choice alone.
  • Participate in the Department of Commerce's multi-stakeholder process to develop binding codes of conduct, and use the FTC's authority to prosecute unfair and deceptive practices to enforce such codes when companies assert they will abide by them.

The report issued today was adopted by a 3-1 vote of the Commissioners. Commissioner J. Thomas Rosch issued a dissenting statement citing his concerns that the FTC is emphasizing unfairness rather than deceptiveness in promoting the principles, and that support for the report's findings by large businesses might stifle innovation.

The FTC's report is being released just over a month after the Obama Administration issued its Consumer Privacy Bill of Rights, which also calls for increased transparency in privacy and data security practices.

To view the full article, please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.