Massachusetts Supreme Judicial Court Order Regarding the Protection of Personal Information
Introduction. Massachusetts General Laws c. 93H provides that the judicial branch shall adopt rules or regulations to safeguard certain nonpublic personal information relating to residents of the Commonwealth, the improper or inadvertent disclosure of which could create a substantial risk of identity theft or fraud. This Order governs the security and confidentiality of personal information as defined by c. 93H in the Judicial Branch. It is designed to safeguard the personal information of all individuals, including nonresidents. It shall apply to the appellate courts, trial courts, court administrative offices and court affiliates, which shall be in compliance by September 1, 2010.
Definition. Under G. L. c. 93H, personal information consists of a resident’s “first name and last name, or first initial and last name, in combination with any one or more of the following data elements that relate to such resident:
a. Social Security number;
b. driver’s license number or state-issued identification card number;
c. financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.
Chapter 93H provides that personal information "shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public."
Information Security Program. Each appellate court, the Trial Court and any court affiliate that owns, stores or maintains personal information about an individual shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information. The information security program shall govern the collection, use, dissemination, storage, retention and destruction of personal information. The program shall ensure that courts and court affiliates collect the minimum quantity of personal information reasonably needed to accomplish the legitimate purpose for which the information is collected; securely store and protect the information against unauthorized access, destruction, use, modification, disclosure or loss; provide access to and disseminate the information only to those who reasonably require the information to perform their duties; and destroy the information as soon as it is no longer needed or required to be maintained. Such information security program shall contain administrative, technical, and physical safeguards to ensure the security and confidentiality of such records.
Every information security program shall include:
(1) A requirement for notice to the Chief Justice for Administration and Management in the case of a trial court, and to the appropriate Chief Justice in the case of an appellate court, in the event of any incident involving a breach of security[Note 1] of personal information.
(2) Regular monitoring to ensure that the information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.
(3) A regular review, at least annually, of the scope of the security measures. Such review also must be conducted whenever there is an incident involving a breach of security and when there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
(4) Documentation of responsive actions taken in connection with any incident involving a breach of security, and actions taken, if any, to make changes in practices relating to protection of personal information.
Departmental reviews. Each appellate court, court department and court entity shall review the type of personal information it collects and maintains with the goal of identifying any personal information that need not be collected or maintained. Each department will report the results of this review to the Chief Justice for Administration and Management, or, in the case of the appellate courts and affiliated agencies, to the Chief Justice of the Supreme Judicial Court, within six months.
Computer systems. If personal information is stored electronically, the information security program shall include provisions that relate to the protection of personal information stored or maintained in electronic form. Such provisions shall be developed with the Courts' Chief Information Officers.
Contracts. All contracts entered into by the Judicial Branch shall contain provisions requiring contractors to notify the court of any incident involving a breach of security of personal information, and to certify that they have read this Order, that they have reviewed and will comply with all information security programs and policies that apply to the work they will be performing, that they will communicate these provisions to and enforce them against their subcontractors, and that they will implement and maintain any other reasonable and appropriate security procedures and practices necessary to protect personal information to which they are given access as part of the contract from unauthorized access, destruction, use, modification, disclosure or loss.
[Note 1] G. L. c. 93H defines breach of security as "the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure."
January 7, 2010.