Massachusetts Data Protection Law: What Your Business Needs to Know
Deadline Extended for Businesses to Comply with New, Tough Standards For the second time in four months, the Commonwealth of Massachusetts has pushed back the implementation of its new data protection law - one of the toughest in the nation.Yet even with the new deadline of January 2010, many of the businesses impacted by these stringent data protection requirements won't be compliant, say industry experts familiar with the new regulation.
The regulation is described by many as the nation's most cumbersome data security regulation. It will require all entities that license, store or maintain personal information about a Massachusetts resident to implement a comprehensive information security program -- even if the business or entity does not have offices in the state.
Agnes Bundy Scanlan, a lawyer at Boston's Goodwin Procter, and a board member of the International Association of Privacy Professionals (IAPP), says that while in general the Massachusetts data protection law is "pretty complicated," it has gone through revisions and extensions. "But as it stands today, businesses that have Massachusetts residents' information will have to have a comprehensive written security program, and heightened security procedures, including encryption."
Nick Holland, an analyst at Aite Group, says this regulation will continue to have real pushback from businesses. "Even if there wasn't a recession, this regulation still would be something that businesses would be reluctant to comply with," Holland says. "It will cost them money, and many have the attitude [a data breach] will happen to someone else."
Why a Tougher Standard?
The Massachusetts regulation was prompted by several high-profile data breaches that impacted residents, including the TJX case that first made headlines in 2007. "Clearly, the Massachusetts government didn't believe that data breach notification alone was sufficient to protect its citizens," Bundy Scanlan says. "Given the current climate of consumer protectionism, I think this law will gain attention, not just in the state."
The Massachusetts law is breaking new ground in data protection requirements, just as the California state data breach notification law that was passed in 2003 did for state data breach notification laws. The effect of the Massachusetts law has already been seen, as other states such as Michigan are looking at passing similar tough data protection requirements for their state residents' personal information. CA-1386 was passed by California state legislators after a 2002 data breach affected thousands of state workers, including some of the legislators themselves.
The Massachusetts law was passed in September 2008 and was to be effective on Jan. 1 of this year. But it immediately faced vocal opposition, and lawmakers relented and pushed back the compliance date to May 1, 2009. In the January public hearing held by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) the room was packed with businesses and representatives from other entities calling for more time.
Representatives of the Greater Boston Chamber of Commerce, Massachusetts Business Coalition, various nonprofits, colleges and universities and others at the January meeting testified the near impossibility of complying with the encryption standards, as well as the enormous investment of time, energy, and scarce cash required by this undertaking.
By mid-February, the Massachusetts government made a decision to push back the date for compliance with the new regulations, says OCABR undersecretary Daniel Crane because of the recession and to give entities more time to comply. "We understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections," Crane said in a statement.
Revised Requirements
One key revision announced in the February statement was the removal of the requirement that companies get third parties with access to customer data to confirm they were compliant with the regulations as well. Now the revised regulations require that companies only have to take "reasonable steps" to verify that any third-party providers with access to personal data have the ability to protect the information through measures that are comparable to the ones spelled out by the regulations.
Still, the regulations require that companies limit the amount of data they collect, have and maintain written security policies and keep a detailed inventory of all personal data and where it is stored, whether on electronic media or on paper. The regulations require any business that handles sensitive personal information on citizens of the Commonwealth of Massachusetts to encrypt that data as it is transmitted over the Internet or stored on external mobile devices such as laptops, flashdrives and other mobile storage equipment.
The businesses must also have adequate physical and technical security controls for safeguarding protected data and properly authenticating users who are given access to the information. Prior to the revision on third-party verification, they were regarded as the most stringent set of state-mandated data protection regulations. They would target any business that handled information on Massachusetts residents, regardless of whether the company was based in the state.
Compliance: Where to Start?
Bundy Scanlan recommends for financial institutions with customers who are residents in the state to continue to work toward compliance with the law.
"They should do as much as they possibly can; then if it is a systems problem with encryption, they will at least show they are doing their due diligence for the regulator."
She notes that OCABR has been very helpful toward businesses that want further explanations on how to comply with the regulation.
For institutions or other businesses that have not started work on compliance, Bundy Scanlan recommends the following steps: