Massachusetts Data Protection Law: What Your Business Needs to Know

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

For the second time in four months, the Commonwealth of Massachusetts has pushed back the implementation of its new data protection law - one of the toughest in the nation.

Yet even with the new deadline of January 2010, many of the businesses impacted by these stringent data protection requirements won't be compliant, say industry experts familiar with the new regulation.

The regulation is described by many as the nation's most cumbersome data security regulation. It will require all entities that license, store or maintain personal information about a Massachusetts resident to implement a comprehensive information security program -- even if the business or entity does not have offices in the state.

Agnes Bundy Scanlan, a lawyer at Boston's Goodwin Procter, and a board member of the International Association of Privacy Professionals (IAPP), says that while in general the Massachusetts data protection law is "pretty complicated," it has gone through revisions and extensions. "But as it stands today, businesses that have Massachusetts residents' information will have to have a comprehensive written security program, and heightened security procedures, including encryption."

Nick Holland, an analyst at Aite Group, says this regulation will continue to have real pushback from businesses. "Even if there wasn't a recession, this regulation still would be something that businesses would be reluctant to comply with," Holland says. "It will cost them money, and many have the attitude [a data breach] will happen to someone else."

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Why a Tougher Standard?

The Massachusetts regulation was prompted by several high-profile data breaches that impacted residents, including the TJX case that first made headlines in 2007. "Clearly, the Massachusetts government didn't believe that data breach notification alone was sufficient to protect its citizens," Bundy Scanlan says. "Given the current climate of consumer protectionism, I think this law will gain attention, not just in the state."

The Massachusetts law is breaking new ground in data protection requirements, just as the California state data breach notification law that was passed in 2003 did for state data breach notification laws. The effect of the Massachusetts law has already been seen, as other states such as Michigan are looking at passing similar tough data protection requirements for their state residents' personal information. CA-1386 was passed by California state legislators after a 2002 data breach affected thousands of state workers, including some of the legislators themselves.

The Massachusetts law was passed in September 2008 and was to be effective on Jan. 1 of this year. But it immediately faced vocal opposition, and lawmakers relented and pushed back the compliance date to May 1, 2009. In the January public hearing held by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) the room was packed with businesses and representatives from other entities calling for more time.

Representatives of the Greater Boston Chamber of Commerce, Massachusetts Business Coalition, various nonprofits, colleges and universities and others at the January meeting testified the near impossibility of complying with the encryption standards, as well as the enormous investment of time, energy, and scarce cash required by this undertaking.

By mid-February, the Massachusetts government made a decision to push back the date for compliance with the new regulations, says OCABR undersecretary Daniel Crane because of the recession and to give entities more time to comply. "We understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections," Crane said in a statement.

Revised Requirements

One key revision announced in the February statement was the removal of the requirement that companies get third parties with access to customer data to confirm they were compliant with the regulations as well. Now the revised regulations require that companies only have to take "reasonable steps" to verify that any third-party providers with access to personal data have the ability to protect the information through measures that are comparable to the ones spelled out by the regulations.