Massachusetts Data Protection Law Amended, Delayed - Again

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Once again, Massachusetts is delaying the compliance deadline for its toughest-in-the-nation data protection rules. The new effective date is March 1, 2010.

Saying that the state must balance the needs of consumer privacy protection with the needs of small business, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has also amended its data security regulations. Earlier this week the OCABR announced the revised rules will facilitate a "risk-based approach" to data security - an approach that is expected to help the small-business community.

The OCABR also modified the regulations to make them technology neutral. A public hearing on the changes will be held on September 22 in Boston.

Barbara Anthony, the Massachusetts Undersecretary of the Office of Consumer Affairs and Business Regulation, says the adjustments to Massachusetts' identity theft regulations will also reinforce flexibility in compliance by small businesses.

The risk-based approach is especially important to small businesses that may not handle a lot of personal information about customers, says Anthony. Under a risk-based approach, a business, in developing a written security program, should take into account its size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

New wording in the regulations recognizes that the size of a business and the amount of personal information it handles play a role in the data security plan the business creates. The new language requires safeguards appropriate to:

• Size, scope and type of business handling the information;
• Resources available to the business;
• Amount of stored data;
• Need for security and confidentiality of both consumer and employee information.

Agnes Bundy Scanlan, a Boston-based lawyer at Goodwin Procter, says she wasn't surprised by the extension. "It seems as though the small business community rallied together and presented unwavering arguments against several areas of the regulation," says Bundy Scanlan, who is also a board member of the International Association of Privacy Professionals (IAPP).

Changes to the regulations, Anthony says, make clear they are risk-based in implementation, not just in enforcement, as had been the case in earlier versions of the regulations. In addition to now being "technology neutral," the regulation acknowledges that technical feasibility plays a role in what many businesses -- especially small ones -- can do to protect data. The overall approach is more consistent with federal law, Anthony states.

"Whether it's a small amount of employee paperwork, or a large amount of consumer information kept on an electronic database, each requires its own appropriate level of security and protection," Anthony says. "The changes we are making reflect that reality without exposing companies or consumers to a heightened risk of theft."