The roads traveled by non-profit entities have never been easy ones to negotiate. Indeed, the time, expense and, dare I say, risk of doing good deeds and raising capital has been fraught with potholes and impediments from the get-go. Now, that road has become even more treacherous for non-profits and their cyber/tech insurers alike.

1.  An Overview of Massachusetts’ New Data Security Law

Effective March 1, 2010, a new data security breach law will become effective in the Commonwealth of Massachusetts. Described by some as the toughest data security law in the U.S., the law and corresponding regulations applies to all entities, including non-profits, that employ or serve Massachusetts residents and which store, own or license “personal information” about a Massachusetts resident. Here is the Press Release from the Office of Consumer Affairs and Business Regulation. Here is the Final Version of The Regulations.

2.  What is Meant by “Personal Information”?

The term “personal information is defined in the law to mean a Massachusetts resident’s first and last name, or first initial and last name, together with:

1. The resident’s driver’s license number or state identification card;
2. Bank/financial account or credit/debit account number; or
3. Social Security number.

In other words, personal information will, generally speaking, include anything uniquely identifiable about a Massachusetts resident.

3.  What Security Programs Are Required?

The good news is that the type of information security program required of covered entities will be dependent on the entities’ type of business, size, resources, need, quantum of personal information assembled, etc. Still, no covered entity, including non-profits and small businesses, is exempt from the mandates requiring them to, among other things:

1. Develop, implement and sustain a formal, written information security protocol with respect to “personal information” (while employing third-party vendors to ensure security and compliance), and
2. Teach all employees (including part-timers, temps and contract employees) about the requisite information storage, protection and access protocols.

Perhaps more troublesome to non-profits and their employees (and, perhaps, their EPL insurers), the soon-to-be-effective law requires covered entities to discipline employees who violate the law, and bars terminated employees from having access to records which contain “personal information.” In short, non-profits and their insurers must be knowledgeable about (and the non-profits compliant with) the ever-growing regime of data security laws enacted by the federal government, state legislators, and federal and state regulators.

4.  What Does this Mean for Cyber/Tech Underwriters?

Cyber/tech underwriters will have to decide whether and how to deal with the evolving schemes of new laws.  Cyber/tech policies (and perhaps even EPL policies) may need to be modified accordingly. As much as any other insurable interest, the changing world of cyber/tech law requires that underwriters stay absolutely current with the myriad of evolving obligations and duties faced by their existing and future policyholders, including those policyholders that underwriters may not consider a high or likely risk. We at CyberInquirer are happy to help. Please feel free to contact us at rbortnick@cozen.com or ppengelley@cozen.com with any questions or concerns you may have.