Can I use third-party file sharing tools that collect personal information in Massachusetts? What are the requirements?

Using Third-Party File Sharing Tools that Collect Personal Information in Massachusetts

If you are using third-party file sharing tools that collect personal information in Massachusetts, you must ensure that you comply with the state’s regulations for safeguarding personal information.

According to MGL Chapter 93H, Section 2, any person that owns or licenses personal information about a resident of the Commonwealth must develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size, scope, and type of business. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.

Furthermore, 201 CMR 17.04 requires that every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements:

1. Secure user authentication protocols including:
2. control of user IDs and other identifiers;
3. a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
4. control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
5. restricting access to active users and active user accounts only; and
6. blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system.
7. Secure access control measures that:
8. restrict access to records and files containing personal information to those who need such information to perform their job duties;
9. assign a unique user ID plus a password, which is not vendor supplied, to each person with computer access; and
10. include a written procedure that sets forth the manner in which access to personal information is restricted.
11. Safeguards against access by former employees, including terminating their electronic access to such records, including deactivating their passwords and user names.
12. Safeguards against the transmission of personal information, including encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
13. Reasonable periodic monitoring of networks and systems for unauthorized use of or access to personal information, and recording the audit trails for users, events, dates, times, and success or failure of login.
14. Encryption of personal information stored on laptops or other portable devices.
15. Firewall protection with up-to-date patches, including operating system security patches, for electronic files containing personal information on a system that is connected to the Internet.
16. The most current version of system security agent software which will include antispyware and antivirus software, including up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and which includes security software that is set to receive the most current security updates on a regular basis.
17. Education and training of employees on the proper use of the computer security system, the importance of personal information security, and resources available to safeguard personal information.
18. Enhanced network security.

Therefore, if you are using third-party file sharing tools that collect personal information in Massachusetts, you must ensure that the tools comply with the above requirements. If the third-party file sharing tools do not comply with these requirements, you may be in violation of Massachusetts regulations for safeguarding personal information.

In addition, if you know or have reason to know of a breach of security or unauthorized use of personal information, you must report it to the owner or licensor of the information, as well as to the attorney general and the director of consumer affairs and business regulation ^[2.1].

If you are storing personal data in a member’s retirement file, any person may request access to public records in the file pursuant to the procedures provided in 840 CMR 6.11 and M.G.L. c. 66, § 10. However, if the custodian determines that the data requested are not a public record, access may be denied unless authorized by a statute or regulation consistent with the purposes of M.G.L. c. 66A or 840 CMR 6.00, requested by an employer consenting to observe the provisions of M.G.L. c. 66A applicable to holders of personal data, approved in writing by the member, or requested by a physician treating a data subject during a medical or psychiatric emergency which precludes the data subject from approving disclosure ^[5.1].

Therefore, it is important to ensure that any personal information is properly safeguarded and accessed only by authorized individuals.

Source(s):

• [2.1] Duty to report known security breach or unauthorized use of personal information
• [5.1] Access to Personal Data in Retirement Files by the General Public

Jurisdiction

Massachusetts

• Privacy