Deadline looms for Mass. data protection law
One year and several changes later, the law is set to go into effect March 1
Computerworld - After more than a year of delay and several modifications, a contentious Massachusetts data protection regulation appears set to go into effect March 1.
The law is aimed at getting companies to better protect consumer data. It affects all businesses that store personal information on Massachusetts residents, regardless of where the companies might be based.
The rules (see PDF) require businesses to encrypt sensitive personal information on Massachusetts residents that is stored on portable devices such as PDAs and laptops or on storage media such as memory sticks and DVDs. Any personal information that is transmitted over a public or wireless network will also need to be encrypted.
Companies are required to take reasonable measures to control end-user access to sensitive data and to protect authentication information that can be used to gain access to the data. Businesses will also need to limit the amount of personal data they collect and must maintain an inventory of the information, monitor its usage and have a formal security plan for protecting the data. The rules were crafted by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) and were originally supposed to go into effect Jan. 1, 2009. The deadline was extended twice as a result of considerable resistance from businesses covered under the law. The first extension pushed the deadline back to last May, and the second one pushed it to March 1.
One of the biggest concerns had to do with a provision -- that has since been modified -- requiring businesses to ensure that all third parties with access to personal information are also compliant with the Massachusetts law. The provision would have required companies to rewrite their vendor contracts and to take steps to ensure their service providers were compliant with the Massachusetts regulations.
As it stands, businesses only have to take "reasonable steps" to verify that their third-party service providers have the ability to protect personal information via measures that are comparable to those prescribed by the OCABR. Companies have until March 2012 to include language in their third-party contracts obligating their vendors to employ reasonable measures for protecting personal information.
Several trade associations and companies have blasted the bill as being overly prescriptive, intrusive and costly to implement. Last January, a coalition of 70 organizations, including the Retailers Association of Massachusetts, the Massachusetts Bankers Association, the Greater Boston Chamber of Commerce and several companies -- including Wal-Mart, Microsoft, Target and Google -- sent a letter to the OCABR demanding a "rigorous shareholder analysis" of the bill. The letter listed six areas of concern, including the mandatory encryption and data inventorying provisions.
Mobile devices still a concern
Boston attorney Deborah Birnbach, who has been advising clients on the regulations, said today that many companies appear to have put considerable effort into getting ready for the new provisions.
One remaining area of concern pertains to the encryption requirement for mobile devices. Many companies are struggling to figure out how to efficiently encrypt data that's stored on mobile devices such as BlackBerries and other smartphones, she said. Some companies are also struggling to ensure that personal data stored on backup storage media is encrypted, she said.
The regulations give the Massachusetts attorney general's office enforcement authority for the bill. It remains unclear what might provoke an enforcement action by the AG's office or what such enforcement might entail, Birnbach said. The most likely scenario is that the AG's office will use its authority to investigate data breaches to see if a breached entity was compliant with the requirements of the statute, she said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!