Massachusetts Data Protection Law Amended, Delayed - Again
New Rules Now Won't Apply Until March 2010Saying that the state must balance the needs of consumer privacy protection with the needs of small business, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has also amended its data security regulations. Earlier this week the OCABR announced the revised rules will facilitate a "risk-based approach" to data security - an approach that is expected to help the small-business community.
The OCABR also modified the regulations to make them technology neutral. A public hearing on the changes will be held on September 22 in Boston.
Barbara Anthony, the Massachusetts Undersecretary of the Office of Consumer Affairs and Business Regulation, says the adjustments to Massachusetts' identity theft regulations will also reinforce flexibility in compliance by small businesses.
The risk-based approach is especially important to small businesses that may not handle a lot of personal information about customers, says Anthony. Under a risk-based approach, a business, in developing a written security program, should take into account its size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations.
New wording in the regulations recognizes that the size of a business and the amount of personal information it handles play a role in the data security plan the business creates. The new language requires safeguards appropriate to:
- Size, scope and type of business handling the information;
- Resources available to the business;
- Amount of stored data;
- Need for security and confidentiality of both consumer and employee information.
Agnes Bundy Scanlan, a Boston-based lawyer at Goodwin Procter, says she wasn't surprised by the extension. "It seems as though the small business community rallied together and presented unwavering arguments against several areas of the regulation," says Bundy Scanlan, who is also a board member of the International Association of Privacy Professionals (IAPP).
Changes to the regulations, Anthony says, make clear they are risk-based in implementation, not just in enforcement, as had been the case in earlier versions of the regulations. In addition to now being "technology neutral," the regulation acknowledges that technical feasibility plays a role in what many businesses -- especially small ones -- can do to protect data. The overall approach is more consistent with federal law, Anthony states.
"Whether it's a small amount of employee paperwork, or a large amount of consumer information kept on an electronic database, each requires its own appropriate level of security and protection," Anthony says. "The changes we are making reflect that reality without exposing companies or consumers to a heightened risk of theft."