Editor's Note – Cynthia J. Larose, is an attorney with AIM Member Law Firm Mintz Levin. She serves as a member of the firm’s Corporate & Securities Section, is the Chair of the Privacy & Security practice, and is a Certified Information Privacy Professional (CIPP).
Employers face two important developments this week with Massachusetts’ toughest-in-the-nation data security law.
The first is a Thursday deadline under which companies that own or license the personal information of Massachusetts residents must ensure that contracts with third party service providers – such as payroll providers or Web site hosting companies - signed prior to March 1, 2010 are amended to incorporate appropriate data-security requirements.
The second is a recent court decision that gives businesses yet another category of personal information to worry about - customer zip codes collected in the context of a credit-card transaction.
To reduce the risk of data breaches involving third-party service providers, the Massachusetts regulations require companies to take reasonable measures to select vendors capable of “maintaining appropriate security measures to protect such personal information consistent with [the] regulations and any applicable federal regulations.” Furthermore, the regulations mandate that companies contractually require their service providers to safeguard personal information in accordance with the Massachusetts regulations and applicable federal requirements.
Regardless of location, an entity must comply if it receives, stores, maintains, processes, or otherwise has access to personal information of Massachusetts residents in connection with the provision of goods and services or in connection with employment. Because the regulations contain such broad definitions for terms such as “own and license," most service are likely subject to this requirement.
The contract provision includes a grandfather clause, providing that all contracts entered into before March 1, 2010 are exempt from complying with this requirement. That exemption ends Thursday.
If your company relies on service providers to receive, store, process or otherwise access personal information of Massachusetts residents, you must ensure that those service-provider contracts contain a representation that appropriate administrative, physical and technical safeguards are maintained to protect the personal information. Letters from service providers “certifying” that they are in compliance with 201 CMR 17 are not sufficient to meet the requirements of the regulations.
Beware Customer ZIP Codes
Separately, the U.S. District Court for the District of Massachusetts granted a motion to dismiss recently against a customer-plaintiff who alleged that Michaels Stores, Inc. was violating Massachusetts law through its in-store information collection policies. While this is good news, the holding in Tyler v. Michaels Stores, Inc., (D. Mass. Jan. 6, 2012), results in yet another category of “personally identifiable information” for businesses to worry about.
In the Michaels case, the court found that the customer ZIP codes do constitute “personal information” under Massachusetts law when collected in the context of a credit card transaction. The plaintiff’s class action complaint alleged that “Michaels illegally requested customers’ ZIP codes when processing their credit card transactions in violation of” Massachusetts General Laws Ch. 93, Section 105(a) that prohibits retailers from writing down any “personal identifying information” not required by a credit card issuer on a “credit card transaction form” when accepting payment by credit card.
Michaels – as is common practice among retailers – requested customers ZIP codes during checkout, and the plaintiff believed that the information was required for the credit card transaction. Instead, Michaels used the information to complete a reverse-lookup and obtained her address and phone number from commercial databases. The plaintiff alleged that she subsequently received unwanted marketing materials from the company.
The court ruled against the plaintiff on the issue of alleged injuries and damages, holding that Section 105(a) did not create a privacy interest so broad that it would shield consumers from receiving unwanted marketing materials. However, the court did open the door for retailers to be held accountable under Section 105(a) by determine that the “personal identifying information” protected under the statute includes ZIP codes.
This should serve as a warning to Massachusetts retailers that collect customer ZIP codes at point of sale and drive revision of policies and procedures. Clear disclosure and choice should be offered to customers at point of sale before any additional information is requested and collected, other than what is required to process a credit card transaction.
This is unlikely to be the last we see of this issue in Massachusetts.