SPR Bulletin 01-08

TO: (1) Executive offices and any agencies, departments, boards, commissions and instrumentalities within an executive office; and (2) any authority created by the General Court.
SUBJECT: Security Breach Protections
EXPIRATION DATE: Given the dynamic nature of this issue, records custodians are advised to regularly refer to the websites of the Supervisor of Records and the Information Technology Division for updates. This Bulletin remains in effect until superseded.
PURPOSE: This Bulletin provides requirements designed to safeguard the personal information of residents of the Commonwealth that is owned or licensed by certain agencies of government.

BACKGROUND:
It is the intent of the Secretary of the Commonwealth to ensure that personal information about Massachusetts residents is protected. To that end, the purpose of this Bulletin is to encourage the agencies to which this Bulletin applies to provide reasonable security for that information. As authorized by Section 2B of Chapter 93H, the Supervisor of Records, with the advice and consent of the Information Technology Division, is authorized to issue this Bulletin concerning the safeguarding of personal information of Massachusetts residents. The following provisions will apply to: (1) executive offices and any agencies, departments, boards, commissions and instrumentalities within an executive office; and (2) any authority created by the General Court.

FINDINGS:
1. Identity theft is an area of great concern that faces the residents of the Commonwealth. The Office of the Secretary has been charged by the Legislature, with the advice and consent of the Information Technology Division, to issue provisions to guard against anticipated threats or hazards to the security or integrity of certain personal information on file, maintained or otherwise under the control of certain state agencies, and to protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any resident of the Commonwealth.

2. Personal information is defined in Section 1 of Chapter 93H as a resident's first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident:

(a) Social Security number;
(b) driver's license number or state-issued identification card number; or
(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

ACTIONS:

1. An agency to which this Bulletin applies shall establish, execute, and manage an inclusive, written information security program that applies to any records under their custody or control containing personal information, as defined in Section 1 of Chapter 93H.  The security program should take into consideration the legal requirements for the retention and destruction of the records at issue.  Additionally, the records management policy should develop procedures that address the identification, retention, retrieval, ultimate disposition or destruction of and access to these records containing personal information.

2. An agency to which this Bulletin applies shall provide guidance to employees regarding how to identify and maintain information that contains personal information.

3. An agency to which this Bulletin applies shall take all reasonable steps to destroy, or arrange for the destruction of a Massachusetts resident's records within its custody or control containing personal information which is no longer to be retained by the agency in compliance with the destruction provisions of Section 2 of Chapter 93I, the Records Conservation Board and/or the Supervisor of Records, agency business needs, or the requirements of any other Federal or state records retention requirement including, without limitation, rules of civil or criminal procedure.

4. An agency to which this Bulletin applies that owns or licenses personal information about a Massachusetts resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

5. An agency to which this Bulletin applies that discloses personal information about a Massachusetts resident pursuant to a contract with a nonaffiliated third party executed after implementation of this Bulletin shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

6. As required by Section 3(c) of Chapter 93H, an agency within the Executive Department must provide written notification of the nature and circumstances of a security breach or unauthorized acquisition or use of personal information to both the Information Technology Division and the Division of Public Records.  The agency is required to comply with all policies and procedures adopted by the Information Technology Division pertaining to the reporting and investigation of such an incident.

7. The written notification, at minimum, must contain information concerning:

a) The nature of the breach of security or unauthorized acquisition or use of personal information;

b) The number of individuals affected;

c) Actions taken to address the security issue;

d) Measures to be implemented to prevent similar security issues;

e) Contact information for an individual at the agency who can provide further information concerning the security issue, if necessary.

8. An electronic communication will satisfy the requirement for written notification. See G.L. ch. 110G. The Information Technology Division requests that notification, pursuant to Section 3(c) of Chapter 93H, is provided electronically via an email sent to Information Technology Division's Chief Information Officer and copied to the Information Technology Division's Security Officer and General Counsel, rather than via paper letter.

9. The exemptions to the Public Records Law shall apply to the records created pursuant to Chapter 93H. Please note, these exemptions from disclosure are strictly and narrowly construed. Agencies are encouraged to refer to Chapter 4, Sections 7(26)(a-q) in order to properly apply the exemptions in the manner necessary to maintain the integrity and security of these records.

Questions regarding this Bulletin, as well as notifications pursuant to Section 3(c) of Chapter 93H should be directed to:

Supervisor of Records
Public Records Division
1 Ashburton Place, Room 1719
Boston, MA 02108
Phone 617-727-2832
Fax 617-727-5914
Email pre@sec.state.ma.us
www.sec.state.ma.us/pre

Information Technology Division
One Ashburton Place, Room 804
Boston, MA 02108
Phone: 617-626-4448
Fax: 617-626-4459
www.mass.gov/itd