Massachusetts Data Security Regulations WISP

Mass. Data Security Regulations, effective March 1, 2010

For further information on this issue, please see the following links directly to the materail prepared to help you create office policy and comply with the regs:

Frequently Asked Questions:
Sample Small Business Policy:
Compliance Checklist:
Requirements for Security Breach Notification:
Data Security Regulations:

Personal information: a Massachusetts resident’s first name and last name or first initial and
last name in combination with any one or more of the following data elements that relate to
such resident: (a) Social Security number; (b) driver’s license number or state -issued
identification card number; or (c) financial account number, or credit or debit card number,
with or without any required security code, access code, personal identification number or
password, that would permit access to a resident’s financial account; provided, however, that
“Personal information” shall not include information that is lawfully obtained from publicly
available information, or from federal, state or local government records lawfully made
available to the general public.

Massachusetts has joined the majority of states in enacting a comprehensive data security law which governs theway personal information must be protected. After several delays the Massachusetts Office of Consumer Affairs has issued the final regulations to address the issue which become effective on March 1, 2010. Unlike previous draft versions of the regulations, the final regulations use a risk-based approach that directs businesses to establish a written comprehensive information security program (“WISP”) based on their size, scope and available resources. The final version of the regulations were changed as a result of input from MAR and other groups. The changes were primarily intended to ease the burden on small businesses that may not handle a considerable amount of personal information or may not have the resources readily available to develop a sophisticated security program.

Do the new regulations apply to real estate brokers and salespersons?
yes. The regulations apply to any person or business that collects, owns or licenses personal information about a resident of the Commonwealth, including employees. Personal information includes a person’s first and last name in conjunction with their: social security number; driver’s license number or state issued ID card number; financial account number including credit or debit card numbers. Personal information does not include information that is lawfully obtained from publically available information. State Legal Counsel, Steve Ryan has confirmed that redacting (blacking out) check account and routing numbers remove it from the file. Consider information on hud statements and the type of mortgage / personal material retained in your files.

It is important to recognize that in many real estate transactions no personal information may be collected by the broker. Instances where brokers are more likely to collect personal information include rental transactions and short sales. For example, a rental application will typically require a prospective tenant’s name and social security number. When the broker takes this application, this means that the broker has now generally collected personal information and needs to ensure that the information is protected in accordance with the regulations. By keeping the application in a locked file cabinet with limited access or shredding it after use, the broker has taken one step to comply with the regulations. It is advised that all brokers review what information is taken from customers and clients, regardless of the type of transaction. Knowing in advance what information you collect will help you develop your WISP and remain in compliance. It is also important to review all forms and information that is collected from consumers to ensure that no unnecessary personal information is being collected. Although the regulations do not specifically address the issue, keep in mind that past transactions with closed files that may remain in the office may contain personal information. Unlike many other laws applicable to brokers and salespersons, the regulations were not written specifically for the real estate industry. Rather, they apply broadly to all industries in Massachusetts that may collect, own or license personal information of residents of the state. We continue to monitor similar legislation on the issue of data security and ID theft have been proposed in Congress but have not been passed into law.

What do I have to do to comply?
The new statute and regulations require persons or businesses with personal information to develop a WISP. The scope and complexity of the document will vary depending on the type of personal information you will keep and the resources you have available. The WISP must identify the measures that will be taken to safeguard both electronic and hardcopy files. For example, the regulations state that the WISP must specify “reasonable restrictions upon physical access to records containing personal information and storage of such records and data in locked facilities, storage areas or containers.” The Regulations identify a number of other specific requirements that must be incorporated into the WISP. See the links below for a sample WISP that is posted on the State’s Office of Consumer Affairs website.

The WISP must also include measures to ensure protection of data maintained on a computer, laptops and portable devices. The regulations require encryption of these devises in cases where encryption is “technically feasible.” This means that if there is a reasonable means through technology to encrypt, then those steps should be taken to protect the data. The law recognizes that not all portable devices such as phones, blackberries, net books, iphones, etc. are technically capable of being encrypted. While it may not be technically possible to encrypt these devices, personal information should not be put at an unreasonable risk.

Must my information security program be in writing?
Yes, your information security program must be in writing. The scope and complexity of the document will vary depending on your resources and the type of personal information you are storing or maintaining. But everyone who owns or licenses personal information must have a written plan detailing the measures adopted to safeguard such information. A model policy, ready for easy customization, can be downloaded by clicking the link below.

Does my office have to meet the same requirements imposed on large investment banks and other major corporations?
No. The Commonwealth’s Office of Consumer Affairs adopted a “risk-based” approach that directs a business to establish a written security program that takes into account the particular business’s size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security. This approach is especially important to those small businesses that do not handle or store large amounts of personal information.

What exactly is “encryption”?
Encryption entails the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.

Do I have to hire an expert to encrypt my electronic devices or to write a security program?
Unlike earlier versions, the final Regulations have very significant differences that take into account small businesses with limited resources. Most importantly the use of a risk-based approach allows businesses to comply by taking into account the size, scope, and available resources, nature and quantity of data collected or stored and the need for security. A sample policy is available at the link below but should be tailored to meet the specific needs of each individual brokerage. If personal information is stored on a computer system, it must be encrypted if technically feasible.

For further information on this issue, please see the following links:
Frequently Asked Questions:
Sample Small Business Policy:
Compliance Checklist:
Requirements for Security Breach Notification:
Data Security Regulations:

Submitted by Sandy Carroll on 03/08/2010