The coronavirus (COVID-19) pandemic has led civic leaders at every level, public and private, to encourage or require behavior designed to mitigate the spread of disease, from “social distancing” to closing public venues to limiting the size of social gatherings. Businesses have joined the fight, increasingly urging (or requiring) their employees to work from home during the crisis. Working from home can be a great option to maintain keep a business going while meeting our public health responsibilities.
For employees whose work requires them to access private information about customers and clients, however, there is a layer of risk that employers should address relating to compliance with Massachusetts data privacy laws. Ordinary data handling procedures when the employee is at the office may need to be revised if the employee is working off-site. Before enabling the employee to have and use private information outside of the business computer network, the employer should consider reviewing potential vulnerability of employees’ home networks, weak security measures, and computer equipment that is either outdated or that might be compromised by spyware or malware. The protection of customers’ and clients’ personal information should be a top priority. While the COVID-19 pandemic will almost certainly alter the way in which businesses function, those changes should be made in a way that does not negatively impact legal compliance. Failing to address these issues in a timely manner can injure the organizations’ reputation or expose the organization to unnecessary litigation.
Massachusetts has one of the strictest data protection laws across the country. Compliance can present challenges for a business even under normal circumstances, but the decision to have employees work from home does not relieve the organization of its data protection obligations even when it is justified by a great public need.
What the law says
The Massachusetts law, formally known as “Standards for The Protection of Personal Information of Residents of the Commonwealth,” 201 C.M.R. 17.00, includes security requirements for organizations that handle the personal information of Massachusetts residents. As detailed within the statute, the objectives of the regulations are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.
M.G.L. 93H § 2. The law defines “personal information” as a resident’s first and last name, or first initial and last name, in combination with any 1 or more of the following data elements that relate to such resident: social security number; driver’s license number or state-issued identification card number; or, financial account number or credit card number. Mass. Gen. Laws c. 93H § 1. Additionally, Mass. Gen. Laws. c. 93I includes biometric indicators (i.e., DNA, facial features, and fingerprints) within the definition of “personal information.”
The law mandates that “[e]very person that owns or licenses personal information about a resident of the Commonwealth” is required to develop, implement and maintain a comprehensive information security program. 201 C.M.R. 17.03. Notably, the law applies to any entity that maintains information on Massachusetts residents, whether or not the entity is organized under the laws of Massachusetts.
The comprehensive information security program requirements include, but are not limited to:
- designating personnel to tend to the comprehensive information security program;
- creating a means of detecting and preventing security system failures;
- developing solid security policies for staff relating to the collection, storage, access and transportation of records and personal information outside of the physical business premises;
- devising and imposing disciplinary actions for violations against the information security program;
- protecting personal information from terminated employees by removing access privileges upon termination; and,
- working with and overseeing service providers, or service organizations, requiring them to follow the business’ security measures for personal information.
201 C.M.R. 17.03.
In addition to requiring the implementation of such a program, businesses are also obligated to set forth security requirements for the business’ computer systems including any wireless systems. 201 C.M.R. 17.04. Such security elements include secure user authentication protocols and access control measures, encryption of all transmitted records and files, reasonable monitoring systems, encryption of all personal information stored on laptops and other portable devices, and reasonably up-to-date firewall and malware protection. 201 C.M.R. 17.04.
What constitutes a breach of security and what to do if a breach is suspected
A security breach is considered an “unauthorized acquisition or unauthorized use of encrypted data or encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of PI [personal information], maintained by an Entity that creates a substantial risk of identity theft or fraud against a MA resident.” M.G.L. c. 93H § 1.
If there has been activity that may constitute a security breach, violating Massachusetts data protection laws, there is an obligation to notify the affected resident “as soon as practicable and without unreasonably delay.” M.G.L. c. 93H § 1. In addition, notice must be provided to the state Attorney General and the director of consumer affairs in business regulation for possible further action.
How to prevent the release of personal information with employees working from home
Be prepared – set up a plan/procedure with employees now, making them aware of what is expected of them. Advise employees how they are expected to work from home and the software and/or equipment they should use. If the company does not provide its employees with computers for offsite use, ask employees to keep their home computers’ software, spyware and virus protection updated. If not cost prohibitive, provide employees with the software necessary to protect their home computers. Lastly, and perhaps the simplest form of protection to facilitate, ensure all electronic documents containing personal information are encrypted with unique passcodes.
There are several different ways in which an employee can work from home securely. The three most common are: Virtual Private Network (VPN) access, a virtual desktop, and hard files.
The two computer-based, and most popular, options are VPNs and virtual desktops. A VPN allows a laptop or desktop to create a virtual direct secure connection to an employer’s network. This option allows an employee to access the network remotely, just as it would be accessed if the employee was onsite.
A virtual desktop is a website on which an employee would go to access a computer desktop that is connected to the employer’s network. This website is secured and requires the same log-in credentials that an employee would be required to enter if onsite.
Lastly, employees without home computer access may be transporting physical documents and other materials, including external drives, offsite. While this limits the release of personal information stored electronically, there is still a risk of misplacing these physical items or having them stolen. Remind employees of the company’s encryption policy for transmitting files containing personal information. This policy should also include the company’s expectations for employees removing physical documents from the office, ensuring employees use their best judgment as to where they use/access these physical documents offsite.
For your convenience a complete copy of the Massachusetts Standards for The Protection of Personal Information of Residents of the Commonwealth can be found here.