See my original January 2008 post (updated) for a discussion of this subject. After a significant amount of back-and-forth between business interests and the OCABR, final regulations were issued, relaxing somewhat (but not entirely) the new requirements that businesses handling sensitive personal information adopt written security policies.
Among the thornier issues is the requirement that “owners and licensees” of this information mandate compliance in their third party contracts. In response, a limited grace period – until 2012 – is extended to bring contracts executed prior to March 1, 2010 in compliance.
Given the momentum – at the state and federal (HITECH) level – it seems clear that businesses not currently encrypting this information now fail to do so at their peril.
New Year’s Resolutions for Business Owners
It’s hard to believe, but 2009 is fast approaching, and now is the time to take stock of how your business has fared in 2008 and whether any changes should be implemented to take effect in the coming year.
- Review your organizational structure – corporations, LLCs, general or limited partnerships (those of you who are sole proprietors, consider a more formal structure that can limit your personal liability!). If your business has been organized as one of the preceding entities, is it in compliance with the laws of your state? If you want to make any changes and are on a calendar fiscal year, it’s easier if you do so by year end.
- Review your operating agreements – your leases, your licenses, your employment and consulting agreements. Are any not working out? Some may have termination provisions that have notice requirements. Others may have expiration dates – especially leases, and there may be options to extend that you need to remind yourself of. Are there restrictions that might complicate or delay your new business opportunities? Take a look at what you want to change for the coming year, and establish the business reasons for doing so before you review them with counsel. And if you have any claims or disputes, raise them right away.
- Review your vendor and customer agreements, for the same reasons.
- Once again, the hot topic for 2009: review the status of your employees and contractors. It’s not uncommon for bootstrapping businesses that can’t afford increased payroll taxes and benefits to bring on “contractors” who the law unfortunately sees as employees. The IRS has been on to this for a while, but Massachusetts and other states have closed the gap by enacting new legislation. This gap-closing first appeared several years ago in the context of unemployment claims brought in Massachusetts by so-called consultants who prevailed against their employers, which were then fined for failure to make unemployment insurance and workers’ compensation contributions. There can be some comfort in documenting the consulting arrangement, but in the end the facts, and not the words, matter. The IRS’s website lists the factors used by the IRS to make its determination for tax purposes, and the Massachusetts Attorney General’s website lists those factors used by it in making its determination, but the most important ones are whether the person is subject to your direction and control, whether this type of work is part of your normal business operations, whether he or she does his job on your premises using your tools, and whether he or she does this type of work for others.
- Review your intellectual property protections. Have you registered the copyrights in the software or other expressive works you’ve developed? Have you talked to a patent attorney regarding your latest idea or invention? Have you registered your trademarks – your product and service names and logos? Do you have nondisclosure and confidentiality agreements in place with your employees, your consultants, strategic partners, and others with whom you talk or work regarding your ideas and inventions? Have you documented the creation of your technology and inventions and established in writing who owns them? Do you have the right disclaimers and terms of use on your website?
- Review your insurance coverage for any changes or increases you’d like to make – especially if you’ve gone from R&D to manufacturing. Technology businesses in particular need to pay attention to this, because customers and licensees are becoming more sophisticated and requiring that coverage be in place before they’ll do business.
SUMMARY
Effective March 1, 2010, any business that receives, accesses, processes, maintains, or stores non-public personal information of Massachusetts residents must have in place and implement a written security policy that safeguards that information, regardless of the type of record and media in which it is contained, and must obligate its third-party service providers to do likewise.
This means that, by March 1, 2010:
- Counsel should review your existing policy for compliance
- If you do not have a written policy you should work with counsel to prepare or obtain one that is compliant
- Counsel should review your existing service contracts for compliance
- Counsel should prepare a form of agreement for your use with service providers
BACKGROUND
In September 2008, the Massachusetts Office of Consumer Affairs and Business Regulation issued final regulations establishing standards for the protection and storage of Massachusetts residents’ personal information. Found at 201 C.M.R. §§17.00 et seq., the regulations define “personal information” as a Massachusetts resident’s first (or first initial) and last name in combination with his or her (a) Social Security number; (b) driver’s license number or state-issued identification card number; and/or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number, or password, that would permit access to a resident’s financial account. Financial accounts include debtor accounts for routine business and are not limited to bank or credit card accounts. Publicly available information is not within the scope of this definition.
Originally scheduled for implementation in 2009, push-back by business interests resulted in some modest relaxation – however, the overall thrust of the regulations remains largely the same. The regulations impose minimum standards by which any person, natural or corporate, other than a governmental body, that receives, stores, maintains, processes, or otherwise has access to non-public personal information about a resident of the Commonwealth in connection with the sale of goods and services or employment, must develop and implement a written security program, including disciplinary policies for infractions and corrective measures for failures, and obligate third-party service providers to likewise develop and implement their own compliant written security program. Where data is stored electronically, the program must take computers and wireless systems into account as well.
Originally scheduled to take effect first on January 1, 2009, and then May 1, 2009, the effective date for compliance is March 1, 2010.
