By Robert S. Kutner, Esq.
Theft of personal information of individuals has become more prevalent in recent years, compromising credit cards, social security numbers, bank accounts, and other financial information. Numerous incidents have been reported in which electronic data has been taken from retail businesses as well as financial institutions.
Data Security Law
As a result, Massachusetts has enacted a Data Security Law, General Laws Chapter 93H, which requires all persons and businesses with personal information to adopt written policies for protection
of information. Regulations pursuant to this law become effective January 1, 2010, and are far-reaching. Technically, real estate brokers and agents who receive such personal information fall within its scope. Therefore, it is essential that all REALTORS® understand this new law.
Because of the scope and burden of the law, many industry groups are seeking revisions. The Massachusetts Association of REALTORS® is working with those groups. Before expending substantial sums or time to develop a written information security program (WISP), it is recommended that REALTORS® check to determine if efforts to amend the regulations have been successful.
To Protect Personal Information
The law is intended to protect the “personal information” of Massachusetts residents. “Personal information” is defined as a person’s name in combination with their: (1) social security number; (2) driver’s license number or state-issued identification number; or (3) financial account number, credit card information, or other pin number or code that would permit access to the person’s financial ccount. Information that is publicly available is not protected personal information. The regulations cover personal information of clients, customers, third-party service providers, employees, and independent contractors.
Real estate brokers and agents may receive “personal information” in connection with listings, offers, purchase and sale agreements, or closings that place them within the scope of this law. For example, it is not uncommon for REALTORS® to: (a) obtain social security numbers of buyers or sellers, particularly if a deposit is being held in escrow; (b) be given a copy of a HUD-1 settlement statement with “personal information” at closing; or (c) request or receive financial and credit information of prospective tenants.
The Law’s Requirement
The new Massachusetts data security regulations require that each person obtaining such “personal information” adopt a comprehensive written security program to safeguard such information, whether the information is kept on paper, on a computer, or in another electronic form. The regulations state that each “comprehensive information security program shall be reasonably consistent with industry standards, and shall contain administrative, technical, and physical safeguards to ensure the security and confidentiality of such records.”
The data security law applies to files for closed transactions as well as current transactions. Therefore, it is recommended that each office undertake a review of both its open and closed files to identify where “personal information” is found and to develop policies and procedures to safeguard the information. If data is maintained on a computer system, it may be necessary to consult a professional for installation of appropriate software to safeguard the system. It is also recommended that each office review its current forms to ensure that unnecessary collection of such information is eliminated. Once the review is complete, a written information security program should be prepared.
WISP Must Include…
Regulations implementing the new law were issued by the Office of Consumer Affairs and Business Regulation (“OCABR”) and the full text can be found online by searching: 201 CMR 17.00. At the time this article was written, the regulations required that each WISP must include each of the following elements:
1. Designating one or more employees to maintain the comprehensive information security program;
2. Identifying reasonably foreseeable risks (internal and external) to security, including ongoing training of employees, compliance, and means for detecting security system failures;
3. Developing security policies for employees that take into account whether and how employees should be allowed to keep, access, and transport records containing personal information outside of business premises;
4. Imposing disciplinary measures for violations of the comprehensive information security program rules;
5. Preventing terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names;
6. Taking reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such information;
7. Limiting the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected, and limiting the time such information is retained;
8. Identifying paper, electronic, and other records, as well as computing systems and storage media, including laptops and portable devices used to store personal information, to determine which records contain personal information;
9. Establishing restrictions upon physical access to records containing personal information, including a written procedure that sets forth the manner in which physical access to such records is restricted; and storing such records and data in locked file cabinets or facilities;
10. Monitoring and upgrading safeguards, including annual reviews; and
11. Documenting responsive actions taken in connection with any incident involving a breach of security.
Security requirements for computer systems include:
(a) Adopting secure user authentication protocols with control of user IDs and other identifiers, and a secure method of assigning and selecting passwords and restricting access to active users;
(b) Establishing secure access control measures that restrict access to records and files containing personal information to those who need such information to perform their job duties;
(c) Encrypting all transmitted records and files containing personal information;
(d) Monitoring of systems, for unauthorized use of, or access to, personal information;
(e) Encrypting all personal information stored on laptops or other portable devices, such as PDAs;
(f) Installing up-to-date firewall protection for systems connected to the Internet; and
(g) Educating employees on the proper use of the computer security system and the importance of personal information security.
Notice of any breach of security must be given to each person affected and to the OCABR. The Attorney General’s office has authority to enforce the law pursuant to Chapter 93A. No additional monetary penalty or private right to file a lawsuit is provided by the law.