Last October, a Maloney Properties, Inc. (“MPI”) company laptop was stolen containing unencrypted personal information, including social security numbers, for over 600 Massachusetts residents. Shortly after the incident, MPI sent letters to customers alerting them of the incident and related data breach. As a result of that data breach, Massachusetts Attorney General Martha Coakley conducted an investigation into the acts and practices of MPI in protecting the personal information of its customers, as defined by G.L. c. 93H, § 1. Based on her investigation, Coakley alleged that MPI violated G.L. c. 93H et seq., the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 CMR 17.00 et seq., and the Massachusetts Consumer Protection Act (G.L. c. 93A, § 2) by (a) maintaining personal information on an unencrypted laptop, and (b) failing to follow its own Written Information Security Program, as required by 201 CMR 17.03.
To settle the investigation, MPI entered into an Assurance of Discontinuance with the AG on March 21, 2012. Pursuant to the Assurance of Discontinuance, MPI has agreed to pay a civil penalty of $15,000, and has further agreed that it will:
ensure that personal information is not unnecessarily stored on portable devices, including laptops
ensure that all personal information stored on portable devices is properly encrypted;
ensure that all portable devices containing personal information are stored in a secure location;
effectively train employees on the policies and procedures with respect to maintaining the security of personal information; and
perform an audit of its compliance with its Written Information Security Program at least annually.
The Assurance of Discontinuance also requires that, for the years 2012 and 2013, MPI submit the results of its audit to the Attorney General’s office within 14 days of completion. Given that the audit requirement says “on at least an annual basis,” it is conceivable that the Attorney General’s office could require MPI to conduct additional audits if the results are less than satisfactory.
Interestingly, this settlement has gone unreported by local media. It is the third breach-related enforcement action by the Massachusetts Attorney General’s office. In August 2011, the AG reached a settlement with Belmont Savings Bank for $7,500 and in March 2011, the AG reached a settlement with Briar Group, LLC for $110,000. None of the settlements provide any guidance as to what kinds of reported breaches – or activity that relates to a breach – raise red flags at the Massachusetts AG’s office. In all cases, however, the data was unencrypted in transit (Briar Group) and at rest (MPI and Belmont Savings).
If your business owns, stores, or licenses the personal information of Massachusetts residents, as of March 1, 2010, you must have a written information security program — and that program must be appropriately vetted, implemented with proper training of employees, and it must be revisited from time to time to ensure that it is still consistent with your operations. Say what you do and make sure that you do what you say.
Contact a member of the Mintz Levin Privacy team for more information related to compliance with the Massachusetts data protection regulations, and for more information related to the legal requirements for when and how you must notify customers of a data security breach. We’ve written extensively about compliance with the Massachusetts regulations, here.