August 2014 - Information Security and Privacy Group News
New Massachusetts Settlement Highlights Reach of State Data Protection Rules to Out-of-State Companies
The latest Massachusetts data breach settlement resolving claims under the tough Data Protection Rules (201 CMR 17) reinforces the need for good security practices and serves as a reminder of the potential reach of the Rules to non-Massachusetts businesses.
In the July 2014 settlement, Rhode Island Women and Infants Hospital ("RI Women and Infants") agreed to pay a total of $150,000 to resolve a Massachusetts state court lawsuit brought by the Massachusetts Attorney General under state consumer protection laws, the Massachusetts Rules and health care privacy laws. The settlement consists of a $110,000 civil penalty, $25,000 in attorneys' fees and costs, and $15,000 to a fund to promote information security education and support future data security litigation. RI Women and Infants also agreed to take a specific set of corrective measures to avoid future problems.
The hefty settlement reflects the serious nature of the alleged breaches. In 2012, RI Women & Infants is claimed to have lost 19 unencrypted backup tapes from two of its Prenatal Diagnostic Centers - one located in New Bedford, Massachusetts - holding names, dates of birth, social security numbers, ultrasound images and other medical information on over 12,000 Massachusetts residents. RI Women and Infants also allegedly erred by not properly reporting the breaches of this personal information and protected health information to Massachusetts authorities for nearly six months.
The case reinforces the need for good data security practices. Confidential information needs to be tracked and securely stored, consistent with the sensitivity of the data involved, especially when the data is not encrypted. To the extent data is lost, it should be investigated and, if required, promptly reported to state authorities. The inadequacy of RI Women and Infants' inventory controls, data protection policies and training was cited as grounds for the fines and post-settlement compliance measures.
The RI Women and Infants case serves as a reminder that the Massachusetts Rules extend to all companies holding personal information of Massachusetts residents. All non-Massachusetts businesses holding confidential personal information of Massachusetts employees, vendors or customers are required to comply fully with the Massachusetts Rules, including developing a written information security plan ("WISP"), encrypting laptops, and encrypting emails containing personal information.
If you have questions about the information above or any other issues related to Information Security and Privacy, please contact your attorney or any of the attorneys in our Information Security and Privacy Group.