Massachusetts Data Protection Law Amended, Delayed - Again

New Rules Now Won't Apply Until March 2010
Massachusetts Data Protection Law Amended, Delayed - Again
Once again, Massachusetts is delaying the compliance deadline for its toughest-in-the-nation data protection rules. The new effective date is March 1, 2010.

Saying that the state must balance the needs of consumer privacy protection with the needs of small business, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has also amended its data security regulations. Earlier this week the OCABR announced the revised rules will facilitate a "risk-based approach" to data security - an approach that is expected to help the small-business community.

The OCABR also modified the regulations to make them technology neutral. A public hearing on the changes will be held on September 22 in Boston.

Barbara Anthony, the Massachusetts Undersecretary of the Office of Consumer Affairs and Business Regulation, says the adjustments to Massachusetts' identity theft regulations will also reinforce flexibility in compliance by small businesses.

The risk-based approach is especially important to small businesses that may not handle a lot of personal information about customers, says Anthony. Under a risk-based approach, a business, in developing a written security program, should take into account its size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations.

New wording in the regulations recognizes that the size of a business and the amount of personal information it handles play a role in the data security plan the business creates. The new language requires safeguards appropriate to:

  • Size, scope and type of business handling the information;
  • Resources available to the business;
  • Amount of stored data;
  • Need for security and confidentiality of both consumer and employee information.

Agnes Bundy Scanlan, a Boston-based lawyer at Goodwin Procter, says she wasn't surprised by the extension. "It seems as though the small business community rallied together and presented unwavering arguments against several areas of the regulation," says Bundy Scanlan, who is also a board member of the International Association of Privacy Professionals (IAPP).

Changes to the regulations, Anthony says, make clear they are risk-based in implementation, not just in enforcement, as had been the case in earlier versions of the regulations. In addition to now being "technology neutral," the regulation acknowledges that technical feasibility plays a role in what many businesses -- especially small ones -- can do to protect data. The overall approach is more consistent with federal law, Anthony states.

"Whether it's a small amount of employee paperwork, or a large amount of consumer information kept on an electronic database, each requires its own appropriate level of security and protection," Anthony says. "The changes we are making reflect that reality without exposing companies or consumers to a heightened risk of theft."

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.