A recent enforcement action by the Massachusetts’s Attorney General Office (“Mass. AG”) serves as a stark reminder of how important it is to have robust data security policies and practices in all respects, including with respect to company equipment and locally stored data.
Massachusetts was among the first states to pass and implement regulations creating affirmative security standards for companies holding information of Massachusetts residents, which the Mass. AG is empowered to enforce. In the recently announced enforcement action against a Medicaid bill processing company, the AG settled with the company for violating “state consumer protection and data security laws” stemming from the theft of a laptop from a locked car in or about 2014. The laptop was believed to have contained, among other things, the unencrypted personal information of more than 2,600 Massachusetts schoolchildren, including their names, social security numbers, Medicaid identification numbers, and for some students, their birth dates. News reports at the time indicate that the company notified all the parents of affected children about a month after the incident.
According to the Mass. AG’s announcement late last month, the company agreed to a consent judgment after the Mass. AG found it had failed to undertake measures to “reasonably safeguard personal information.” Under the settlement, the company will have to pay a $100,000 fine and undertake and report on remedial measures to strengthen its securities practices. The Mass. AG’s aggressiveness in pursuing an action and remedies based on a relatively small scale incident—albeit one that involves the personal data of children—raises the possibility that certain regulators may be moving towards a “broken-windows” theory of enforcement, putting companies on notice that they must take seriously all obligations to protect their data. Of course, because this involved the personal data of children, this may also have been a case that the Mass AG viewed as one that would receive public attention, and therefore was a useful way to send a message to companies operating in Massachusetts. Either way, encrypting personal data (a requirement of many data security standards) remains an easy way for companies to avoid the legal, financial and reputational issues from an incident such as this one.