In the wake of a series of alarming data breaches which put thousands of Massachusetts consumers at risk for identity theft, the Boston Globe reports that state regulators released new rules yesterday ordering businesses to better safeguard consumers’ personal information.
The regulations, issued by the Massachusetts Office of Consumer Affairs and Business Regulation, require companies that handle personal information such as credit card accounts and Social Security numbers to encrypt data stored on laptops, monitor employee access to data, and take other steps to protect customer information, beginning Jan. 1. Governor Deval Patrick also signed an executive order requiring state agencies to take similar measures, the Globe reports.
“This is necessary because of the growing concern among consumers about the large number of breaches of data containing their personal information,” said Daniel Crane, undersecretary of Consumer Affairs and Business Regulation.
Framingham-based TJX Cos., which operates TJ Maxx and Marshalls stores, said last year that at least 45.7 million cards were exposed in a computer breach. In March, supermarket company Hannaford Bros. reported a breach, potentially exposing 4.2 million credit and debit card accounts to fraud. This month, mortgage company Countrywide Financial Corp. said more than 45,000 Bay State consumers could be affected by a security breach, and Bank of New York Mellon revealed that a data breach in May may have put at risk personal information from more than 400,000 Massachusetts residents, twice the original number reported.
Shortly after the TJX incident, Patrick signed sweeping legislation requiring companies to notify the state of future security breaches and ordering the consumer affairs agency to craft new regulations. Since then, companies have reported nearly 320 security breaches to the state, affecting more than 625,000 residents. Many involved stolen laptops and hard drives. In three of four cases, the data were not encrypted or protected by a password.
After business groups raised objections to an early draft of the rules, Crane said, the agency made several changes. For instance, he said the agency tweaked the definition of encryption and removed a requirement ordering companies to do an audit trail of where they keep personal data.
Some data are exempt. Specifically, the regulations only cover “personal information” – defined in the law as a resident’s first and last name in combination with a Social Security number, driver’s license number, or financial account number. The legal definition does not apply to Social Security numbers or credit card numbers alone.
However, David Murray, a lawyer for the consumer affairs agency, said the new rules could still expose companies to greater liability from civil lawsuits if they don’t fully safeguard credit card numbers and other data not explicitly covered by the law, because lawyers could point to the requirements as an example of the minimum care companies must take to protect sensitive data.