For the second time in three months, Massachusetts officials have pushed back the deadline for companies to comply with a controversial set of data security regulations that the state announced last September.
In addition to the deadline extension, which was announced late yesterday, the state's Office of Consumer Affairs and Business Regulation (OCABR) also revised a key provision in the regulations that had prompted considerable concern within the business community both inside and outside of Massachusetts.
Under the new deadline, businesses now have until the start of next year to comply with the regulations, which are aimed at protecting the personal data of Massachusetts residents (download PDF). Prior to the extension, the compliance deadline was May 1. That date was set in November, when the OCABR extended its original deadline of Jan. 1.
In a statement yesterday, OCABR undersecretary Daniel Crane said that given the importance of the data-protection mandate, state officials decided it was necessary to give companies more time to make the necessary changes to their systems and business processes. Crane also cited the economic recession. "We understand the impact of the current business environment, and feel [next January] is an appropriate time frame for companies to implement the necessary protections," he said.
As part of the revisions, state regulators also removed an especially contentious requirement mandating that companies get third parties with access to customer data to attest that they were compliant with the regulations as well. In addition, that provision also required third-party services providers to include language in their contracts specifying that they were willing and able to comply with the security rules.
Under the revised regulations, companies only have to take "reasonable steps" to verify that any third-party providers with access to personal data have the ability to protect the information through measures that are comparable to the ones spelled out by the OCABR.
Deborah Birnbach, an attorney at Goodwin Procter LLP in Boston who has been working with clients on compliance issues related to the regulations, said the changes are a definite improvement over the original rules, which she claimed would have required companies to rewrite their vendor contracts. Such a requirement would have been unreasonable, according to Birnbach — especially in the case of large companies that typically deal with numerous third parties at any given time. "Our clients have been somewhat up in arms," she said.
At a high level, the regulations — which implement the data breach provisions in the state's consumer protection law — require any business that handles sensitive personal information on Massachusetts residents to encrypt the data while it's being transmitted over public networks or stored on mobile devices such as laptops, handhelds and memory sticks.
The rules also require companies to limit the amount of data they collect, have written security policies and maintain a detailed inventory of all personal data, whether it is stored in computers, archived on tapes or kept in paper files. In addition, businesses must deploy adequate physical and technical security controls for safeguarding protected data and properly authenticating users who are given access to the information.
At least prior to the revisions, the regulations were widely regarded as one of the most stringent set of state-level data protection mandates in the country. The rules are targeted at all companies that handle the personal data of Massachusetts residents, whether they're based in the state or not, although there are questions about whether the regulations would be enforceable outside of the state.
Critics have slammed the regulations for being overly prescriptive and intrusive and have been pressing state regulators to tone them down. In January, a coalition of 70 organizations — including the Retailers Association of Massachusetts, the Massachusetts Bankers Association, the Greater Boston Chamber of Commerce and companies such as Wal-Mart, Target, Microsoft and Google — submitted a petition to the OCABR asking for a "rigorous stakeholder analysis" of the bill.
The petition pointed to ongoing efforts in New Jersey, where a similar measure is being implemented but in a much more phased manner over a two-year period, and said that Massachusetts should consider adopting a similar model. In total, the petition listed six areas of concern with the regulations, including the mandatory encryption and data inventorying provisions and what it described as the "overly aggressive compliance date for implementing the standards."
In an interview with Computerworld before the new revisions were announced, Jon Hurst, president of the Retailers Association of Massachusetts, noted that the timing of the regulations is especially unfortunate because of the recession. Given the fact that most companies are in survival mode, it would be difficult for them to implement costly new security measures at the same time, Hurst said.