Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, March 10, 2009

Massachusetts Data Protection Law Date Extended: What Your Business Needs to Know

For the second time in four months, the Commonwealth of Massachusetts has pushed back the implementation of its new data protection law - one of the toughest in the nation.  Yet even with the new deadline of January 2010, many of the businesses impacted by these stringent data protection requirements won’t be compliant, say industry experts familiar with the new regulation.  The regulation is described by many as the nation’s most cumbersome data security regulation.  It will require all entities that license, store or maintain personal information about a Massachusetts resident to implement a comprehensive information security program—even if the business or entity does not have offices in the state.

Agnes Bundy Scanlan, a lawyer at Boston’s Goodwin Procter, and a board member of the International Association of Privacy Professionals (IAPP), says that while in general the Massachusetts data protection law is “pretty complicated,” it has gone through revisions and extensions.  “But as it stands today, businesses that have Massachusetts residents’ information will have to have a comprehensive written security program, and heightened security procedures, including encryption.”  “Even if there wasn’t a recession, this regulation still would be something that businesses would be reluctant to comply with,” Holland says.

The Massachusetts regulation was prompted by several high-profile data breaches that impacted residents, including the TJX case that first made headlines in 2007.

“Clearly, the Massachusetts government didn’t believe that data breach notification alone was sufficient to protect its citizens,” Bundy Scanlan says.

The Massachusetts law is breaking new ground in data protection requirements, just as the California state data breach notification law that was passed in 2003 did for state data breach notification laws.  CA-1386 was passed by California state legislators after a 2002 data breach affected thousands of state workers, including some of the legislators themselves.

In the January public hearing held by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) the room was packed with businesses and representatives from other entities calling for more time.  Representatives of the Greater Boston Chamber of Commerce, Massachusetts Business Coalition, various nonprofits, colleges and universities and others at the January meeting testified the near impossibility of complying with the encryption standards, as well as the enormous investment of time, energy, and scarce cash required by this undertaking.  By mid-February, the Massachusetts government made a decision to push back the date for compliance with the new regulations, says OCABR undersecretary Daniel Crane because of the recession and to give entities more time to comply.

Still, the regulations require that companies limit the amount of data they collect, have and maintain written security policies and keep a detailed inventory of all personal data and where it is stored, whether on electronic media or on paper.  The regulations require any business that handles sensitive personal information on citizens of the Commonwealth of Massachusetts to encrypt that data as it is transmitted over the Internet or stored on external mobile devices such as laptops, flashdrives and other mobile storage equipment.  “They should do as much as they possibly can; then if it is a systems problem with encryption, they will at least show they are doing their due diligence for the regulator.”

Posted on 03/10