Massachusetts extends compliance deadline on new data-encryption rules

Economic woes prompt state to give companies more time to meet data security regulations

Companies that have to comply with tough new regulations mandating the use of encryption and other security controls for protecting the personal data of Massachusetts residents are being given more time to do so.

Last Friday, the state's Office of Consumer Affairs and Business Regulation (OCABR) extended the compliance deadline from Jan. 1 to May 1. In its announcement, the OCABR said the extension was prompted by current economic conditions and is designed to give more flexibility to companies that may be experiencing financial difficulties.

Businesses now have until next May to ensure that they and their third-party service providers are in compliance with regulations set by the OCABR to implement the data breach provisions in the state's consumer protection law. In addition, the deadline for obtaining written certification from third-party providers that they meet the requirements has been pushed back to Jan. 1, 2010.

Companies will also have until that date to encrypt sensitive data about Massachusetts residents on portable devices such as PDAs, memory sticks and DVDs, although personal data stored on laptops must be encrypted by next May. The OCABR noted that numerous data breaches have resulted from lost or stolen laptops and that information can more easily be encrypted on those systems than on smaller devices.

The regulations were issued in September and apply to sensitive consumer data, including names, Social Security numbers, bank account information, and credit and debit card numbers. Under the new rules, companies have to encrypt such data while it is stored on mobile devices or being transmitted over public networks. They also need to ensure that third parties that have access to the data can protect it in the same manner.

In addition to the encryption mandate, the regulations require companies to take reasonable measures to control end-user access to sensitive data and protect authentication information that can be used to gain access to the information. The law also requires businesses to limit the amount of personal data that they collect, maintain an inventory of the information, monitor its usage and have a formal written plan detailing all of the measures they've implemented.

Some of the requirements being mandated in Massachusetts have long been considered best practices and even common-sense approaches to protecting data. In fact, for more than three years, the Payment Card Industry Data Security Standard, developed by the major credit card companies, has required all retailers and other entities that accept payment card transactions to adopt similar methods for protecting cardholder data.

The key difference is that the mandates in Massachusetts are coming from a government agency and carry the full authority of state law. Companies that suffer data breaches and are found to have been noncompliant with the regulations could find themselves exposed to greater legal and financial issues than the PCI standard provides for. The PCI rules also relate specifically to payment card data, while the Massachusetts regulations cover a broader set of personal information.

The cost of complying with the requirements will vary depending on the size of companies and the level of security controls they already have in place. According to a cost estimate prepared by the OCABR, a small business with up to 10 employees and an installed base of one server, three laptops and seven desktop PCs can expect to incur about $3,000 in added costs to implement all of the required measures. Ongoing costs to maintain the security controls at such a company shouldn't exceed $500 per month at most, said the OCABR, which assumed as part of the estimate that the company would already have a full-time systems administrator.

Massachusetts is one of only two states — the other being Nevada — that spell out in such a specific manner the steps that companies are required to take to protect consumer data. In California, data breach legislation that would have set similar requirements, although specifically for payment card data, has twice been vetoed by Gov. Arnold Schwarzenegger, despite gaining broad bipartisan support in the state Assembly and Senate.

Some business, most notably financial institutions, have lobbied for stronger data-protection laws, but opponents have expressed reservations about state and federal attempts to legislate information security practices. Those who are critical of such legislation argue that while it's appropriate for government bodies to set breach disclosure standards, having them dictate specific security controls can be problematic. Supporters, though, insist that stringent laws are needed to force organizations that collect and store sensitive data to take better care of it.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon