Can I use third-party project management tools that collect personal information in Massachusetts? What are the requirements?

Using Third-Party Project Management Tools in Massachusetts

If you are using third-party project management tools that collect personal information in Massachusetts, you must ensure that you comply with the state’s data protection laws. Specifically, you must comply with the requirements set forth in 201 CMR 17.03, 940 CMR 27.04, 760 CMR 8.03, 965 CMR 3.04, and 965 CMR 3.03.

Requirements for Protecting Personal Information

Under 201 CMR 17.03, every person that owns or licenses personal information about a resident of the Commonwealth must develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards that are appropriate to the size, scope, and type of business. The safeguards must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.

Under 940 CMR 27.04, the Attorney General’s WISP must establish and maintain security measures covering its computers, including wireless systems, that, at a minimum, and to the extent technically feasible, have elements such as secure user authentication protocols, secure access control measures, restricted access to computerized records containing personal information, safeguards against access by former employees, safeguards against the transmission of personal information, reasonable periodic monitoring of networks and systems for unauthorized use of or access to personal information, encryption of personal information stored on laptops or other portable devices, and enhanced network security.

Under 760 CMR 8.03, a holder shall not collect or maintain more personal data than reasonably necessary for the performance of the holder’s legally authorized functions. A holder shall not allow any individual, agency, or entity not employed by the holder or under contract or agreement with the holder to have access to personal data unless such access is authorized by statute or by regulations which are consistent with the purposes of M.G.L. c. 66A.

Under 965 CMR 3.04, the Auditor’s WISP shall establish and maintain security measures covering its computers, including wireless systems, that, at a minimum, and to the extent technically feasible, have secure user authentication protocols, secure access control measures, restricted access to computerized records containing personal information, safeguards against access by former employees, safeguards against the transmission of personal information, reasonable periodic monitoring of networks and systems for unauthorized use of or access to personal information, encryption of personal information stored on laptops or other portable devices, enhanced network security, and firewall protection with up-to-date patches, including operating system security patches.

Under 965 CMR 3.03, the Auditor shall develop, implement, maintain, and monitor a Written Information Security Program (WISP) designed to safeguard the personal information of residents of the commonwealth contained in the records of the Auditor. The Auditor’s WISP shall be separate from 965 CMR 3.00 in order to facilitate periodic review and updating of the program. The WISP shall include elements such as designation of employee, identification and assessment of internal and external risks, restricted access to records containing personal information, safeguards against access by former employees, verification of third-party service providers, collection of information, access, storage, use, and disclosure, monitoring, review of program, review, responsive action, and documentation of responsive action, destruction, and employee training.

Compliance with Third-Party Service Providers

Under 201 CMR 17.03(2)(f), a person that owns or licenses personal information may oversee service providers by taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with 201 CMR 17.00 and any applicable federal regulations. The person may also require such third-party service providers by contract to implement and maintain such appropriate security measures for personal information.

Under 940 CMR 27.04(1), the Attorney General’s WISP shall establish and maintain security measures covering its computers, including wireless systems, that, at a minimum, and to the extent technically feasible, have secure user authentication protocols, including control of user IDs and other identifiers, a reasonably secure method of assigning and selecting passwords consisting of at least seven letters and numbers, periodic changing of passwords, control of data security passwords to ensure that such passwords are kept at a location separate from that of the data to which such passwords permit access, restricting access to active users and active user accounts only, and blocking access to user identification after multiple unsuccessful attempts to gain access to the particular system.

Conclusion

In conclusion, if you are using third-party project management tools that collect personal information in Massachusetts, you must ensure that you comply with the state’s data protection laws, including 201 CMR 17.03, 940 CMR 27.04, 760 CMR 8.03, 965 CMR 3.04, and 965 CMR 3.03. You must also ensure that any third-party service providers you use are capable of maintaining appropriate security measures to protect personal information and that you have a contract in place requiring them to do so.

Jurisdiction

Massachusetts

• Privacy