The coronavirus (COVID-19) pandemic has led civic leaders at every level, public and private, to encourage or require behavior designed to mitigate the spread of disease, from \u201csocial distancing\u201d to closing public venues to limiting the size of social gatherings.\u00a0 Businesses have joined the fight, increasingly urging (or requiring) their employees to work from home during the crisis. Working from home can be a great option to maintain keep a business going while meeting our public health responsibilities.<\/p>\n
For employees whose work requires them to access private information about customers and clients, however, there is a layer of risk that employers should address relating to compliance with Massachusetts data privacy laws. Ordinary data handling procedures when the employee is at the office may need to be revised if the employee is working off-site.\u00a0 Before enabling the employee to have and use private information outside of the business computer network, the employer should consider reviewing potential vulnerability of employees\u2019 home networks, weak security measures, and computer equipment that is either outdated or that might be compromised by spyware or malware. The protection of customers\u2019 and clients\u2019 personal information should be a top priority. While the COVID-19 pandemic will almost certainly alter the way in which businesses function, those changes should be made in a way that does not negatively impact legal compliance.\u00a0 Failing to address these issues in a timely manner can injure the organizations\u2019 reputation or expose the organization to unnecessary litigation.<\/p>\n
Massachusetts has one of the strictest data protection laws across the country. Compliance can present challenges for a business even under normal circumstances, but the decision to have employees work from home does not relieve the organization of its data protection obligations even when it is justified by a great public need.<\/p>\n
The Massachusetts law, formally known as \u201cStandards for The Protection of Personal Information of Residents of the Commonwealth,\u201d 201 C.M.R. 17.00, includes security requirements for organizations that handle the personal information of Massachusetts residents. As detailed within the statute, the objectives of the regulations are to<\/p>\n
ensure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.<\/p>\n
M.G.L. 93H \u00a7 2. The law defines \u201cpersonal information\u201d as a resident’s first and last name, or first initial and last name, in combination with any 1 or more of the following data elements that relate to such resident:\u00a0 social security number; driver\u2019s license number or state-issued identification card number; or, financial account number or credit card number. Mass. Gen. Laws c. 93H \u00a7 1.\u00a0 Additionally, Mass. Gen. Laws. c. 93I includes biometric indicators (i.e., DNA, facial features, and fingerprints) within the definition of \u201cpersonal information.\u201d<\/p>\n
The law mandates that \u201c[e]very person that owns or licenses personal information about a resident of the Commonwealth\u201d is required to develop, implement and maintain a comprehensive information security program. 201 C.M.R. 17.03. \u00a0Notably, the law applies to any entity that maintains information on Massachusetts residents, whether or not the entity is organized under the laws of Massachusetts.<\/p>\n
The comprehensive information security program requirements include, but are not limited to:<\/p>\n
201 C.M.R. 17.03.<\/p>\n
In addition to requiring the implementation of such a program, businesses are also obligated to set forth security requirements for the business\u2019 computer systems including any wireless systems. 201 C.M.R. 17.04. Such security elements include secure user authentication protocols and access control measures, encryption of all transmitted records and files, reasonable monitoring systems, encryption of all personal information stored on laptops and other portable devices, and reasonably up-to-date firewall and malware protection. 201 C.M.R. 17.04.<\/p>\n
A security breach is considered an \u201cunauthorized acquisition or unauthorized use of encrypted data or encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of PI [personal information], maintained by an Entity that creates a substantial risk of identity theft or fraud against a MA resident.\u201d M.G.L. c. 93H \u00a7 1.<\/p>\n
If there has been activity that may constitute a security breach, violating Massachusetts data protection laws, there is an obligation to notify the affected resident \u201cas soon as practicable and without unreasonable delay.\u201d M.G.L.\u00a0 c. 93H \u00a7 1. In addition, notice must be provided to the state Attorney General and the director of consumer affairs in business regulation for possible further action.<\/p>\n
Be prepared – set up a plan\/procedure with employees now, making them aware of what is expected of them. Advise employees how<\/em> they are expected to work from home and the software and\/or equipment they should use. If the company does not provide its employees with computers for offsite use, ask employees to keep their home computers\u2019 software, spyware and virus protection updated. If not cost-prohibitive, provide employees with the software necessary to protect their home computers. Lastly, and perhaps the simplest form of protection to facilitate, ensure all electronic documents containing personal information are encrypted with unique passcodes.<\/p>\n There are several different ways in which an employee can work from home securely. The three most common are: Virtual Private Network (VPN) access, a virtual desktop, and hard files.<\/p>\n The two computer-based, and most popular, options are VPNs and virtual desktops. A VPN allows a laptop or desktop to create a virtual direct secure connection to an employer\u2019s network. This option allows an employee to access the network remotely, just as it would be accessed if the employee was onsite.<\/p>\n A virtual desktop is a website on which an employee would go to access a computer desktop that is connected to the employer\u2019s network. This website is secured and requires the same login credentials that an employee would be required to enter if onsite.<\/p>\n Lastly, employees without home computer access may be transporting physical documents and other materials, including external drives, offsite. While this limits the release of personal information stored electronically, there is still a risk of misplacing these physical items or having them stolen. Remind employees of the company\u2019s encryption policy for transmitting files containing personal information. \u00a0This policy should also include the company\u2019s expectations for employees removing physical documents from the office, ensuring employees use their best judgment as to where they use\/access these physical documents offsite.<\/p>\n For your convenience a complete copy of the Massachusetts Standards for The Protection of Personal Information of Residents of the Commonwealth can be found here<\/a>.<\/strong> For general guidance applicable to businesses and employers, please visit the CDC website, here<\/a><\/strong>. Please contact Adler Pollock & Sheehan for guidance navigating the legal implications that the COVID-19 pandemic may have on your business.<\/p>\n","protected":false},"excerpt":{"rendered":" The coronavirus (COVID-19) pandemic has led civic leaders at every level, public and private, to encourage or require behavior designed to mitigate the spread of disease, from \u201csocial distancing\u201d to closing public venues to limiting the size of social gatherings.\u00a0 Businesses have…<\/p>\n","protected":false},"author":7,"featured_media":287,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[119,122,32],"tags":[120,121,33,35],"class_list":["post-304","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-coronavirus","category-covid-19","category-cyber-security","tag-coronavirus","tag-covid-19","tag-cyber-security","tag-data-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.apslaw.com\/its-your-business\/wp-json\/wp\/v2\/posts\/304","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.apslaw.com\/its-your-business\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.apslaw.com\/its-your-business\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.apslaw.com\/its-your-business\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.apslaw.com\/its-your-business\/wp-json\/wp\/v2\/comments?post=304"}],"version-history":[{"count":0,"href":"https:\/\/www.apslaw.com\/its-your-business\/wp-json\/wp\/v2\/posts\/304\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.apslaw.com\/its-your-business\/wp-json\/wp\/v2\/media\/287"}],"wp:attachment":[{"href":"https:\/\/www.apslaw.com\/its-your-business\/wp-json\/wp\/v2\/media?parent=304"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.apslaw.com\/its-your-business\/wp-json\/wp\/v2\/categories?post=304"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.apslaw.com\/its-your-business\/wp-json\/wp\/v2\/tags?post=304"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}