Deadline looms for Mass. data protection law
One year and several changes later, the law is set to go into effect March 1
Computerworld - After more than a year of delay and several modifications, a contentious Massachusetts data protection regulation appears set to go into effect March 1.
The law is aimed at getting companies to better protect consumer data. It affects all businesses that store personal information on Massachusetts residents, regardless of where the companies might be based.
The rules (see PDF) require businesses to encrypt sensitive personal information on Massachusetts residents that is stored on portable devices such as PDAs and laptops or on storage media such as memory sticks and DVDs. Any personal information that is transmitted over a public or wireless network will also need to be encrypted.
Companies are required to take reasonable measures to control end-user access to sensitive data and to protect authentication information that can be used to gain access to the data. Businesses will also need to limit the amount of personal data they collect and must maintain an inventory of the information, monitor its usage and have a formal security plan for protecting the data. The rules were crafted by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) and were originally supposed to go into effect Jan. 1, 2009. The deadline was extended twice as a result of considerable resistance from businesses covered under the law. The first extension pushed the deadline back to last May, and the second one pushed it to March 1.
One of the biggest concerns had to do with a provision -- that has since been modified -- requiring businesses to ensure that all third parties with access to personal information are also compliant with the Massachusetts law. The provision would have required companies to rewrite their vendor contracts and to take steps to ensure their service providers were compliant with the Massachusetts regulations.
As it stands, businesses only have to take "reasonable steps" to verify that their third-party service providers have the ability to protect personal information via measures that are comparable to those prescribed by the OCABR. Companies have until March 2012 to include language in their third-party contracts obligating their vendors to employ reasonable measures for protecting personal information.
Several trade associations and companies have blasted the bill as being overly prescriptive, intrusive and costly to implement. Last January, a coalition of 70 organizations, including the Retailers Association of Massachusetts, the Massachusetts Bankers Association, the Greater Boston Chamber of Commerce and several companies -- including Wal-Mart, Microsoft, Target and Google -- sent a letter to the OCABR demanding a "rigorous shareholder analysis" of the bill. The letter listed six areas of concern, including the mandatory encryption and data inventorying provisions.
Mobile devices still a concern
Boston attorney Deborah Birnbach, who has been advising clients on the regulations, said today that many companies appear to have put considerable effort into getting ready for the new provisions.
One remaining area of concern pertains to the encryption requirement for mobile devices. Many companies are struggling to figure out how to efficiently encrypt data that's stored on mobile devices such as BlackBerries and other smartphones, she said. Some companies are also struggling to ensure that personal data stored on backup storage media is encrypted, she said.
The regulations give the Massachusetts attorney general's office enforcement authority for the bill. It remains unclear what might provoke an enforcement action by the AG's office or what such enforcement might entail, Birnbach said. The most likely scenario is that the AG's office will use its authority to investigate data breaches to see if a breached entity was compliant with the requirements of the statute, she said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- 10 Things Your Next Firewall Must do Next-Generation Firewalls Defined
- Firewall Buyers Guide Operate as the core of your network security infrastructure
- Getting Started With a Zero Trust Approach to Network Security The Traditional Approach to Network Security is Failing. View Now>>
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts