Controversial data-security rules slow to take hold in Massachusetts

Computerworld - Massachusetts officials this month gave companies a second reprieve on complying with new regulations aimed at any entity that stores the personal data of state residents. They also softened a particularly contentious provision requiring businesses to ensure that third parties handling such data are in compliance with the rules.

But the state left intact other parts of the regulations that have sparked criticism from the business community both inside and outside of Massachusetts. And even with the extension of the compliance deadline from May 1 to the start of next year, meeting the requirements could be a challenge for some companies.

Massachusetts isn't the only state imposing security regulations on businesses. Last fall, Nevada put into effect a rule requiring personal data to be encrypted if it's transmitted outside of a company's network. And New Jersey is phasing in a set of data security mandates over a two-year period.

But the regulations announced last September by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) specify a long list of steps for protecting personal data and require companies to create wide-ranging internal security programs and policies. Also, the OCABR defines personal data more stringently: as an individual's name along with his Social Security or driver's license number, or with a financial account number. In Nevada, bank and credit card numbers must also be accompanied by a PIN or password to meet the state's definition of personal data.

In addition, the OCABR's rules were written to apply to all organizations that handle the data of Massachusetts residents, whether the businesses are based in the state or not. And the regulations are expected to spawn a host of me-too measures in other states.

From an implementation standpoint, the rules set by Massachusetts are "the most stringent data security regulations in the U.S," said the chief privacy officer at a large bank that has numerous branches in the state.

Because of the wide range of mandated actions, finding enough "time and capacity to implement this in a meaningful way" will be a big hurdle, said the CPO, who requested anonymity. "Pushing an unreasonable timeline to businesses will force many to duct-tape together a [security] program that appears to meet the requirements but offers little real protection," he warned.

Last month, a coalition of 70 organizations — including the Retailers Association of Massachusetts, the Massachusetts Bankers Association, the Greater Boston Chamber of Commerce and companies such as Wal-Mart, Target, Microsoft and Google — submitted a petition to the OCABR asking for a "rigorous stakeholder analysis" of the regulations.

The petition questioned the third-party data-handling rules and the need for mandatory encryption, data inventories and limits on the information that companies collect. It also described the May 1 compliance deadline as "overly aggressive" and called for a phased approach like New Jersey's.

"A vast majority of companies in Massachusetts and around the country know nothing about this regulation," said Jon Hurst, president of the Retailers Association of Massachusetts.

Hurst said the Boston-based trade group isn't opposed to the idea of improving data security. But he questioned the wisdom of requiring companies to adopt costly new security measures at a time when many are struggling "just to make payroll" because of the economic recession.