Controversial data-security rules slow to take hold in Massachusetts

New regulations on storing personal data have businesses up in arms — and not just in Massachusetts. But the state keeps delaying its compliance deadline.

1 2 Page 2
Page 2 of 2

The OCABR didn't respond to requests for comment about the revision of the rules and the extension of the compliance window — the second one granted in the past three months by the agency, which originally wanted companies to comply by the start of this year.

However, in a statement included in the Feb. 12 announcement of the changes, Daniel Crane, the agency's undersecretary, tacitly acknowledged that even the May deadline was too soon for some companies.

"These new safeguards are fundamental standards that will keep information safer and will help businesses reinforce a vital sense of trust with customers," Crane said. But, he added, "it's worth making sure every business in the state has time to make the necessary changes to comply with these regulations." Crane also said that state officials "understand the impact of the current business environment" on companies.

The regulations initially mandated that companies get third-party service providers with access to personal data to certify that they were compliant with the rules. Under the revised version, businesses only have to take "all reasonable steps" to ensure that third parties are applying controls comparable to the ones spelled out by the OCABR.

Deborah Birnbach, an attorney at Boston-based Goodwin Procter LLP, said the third-party provision was a "very impractical and intrusive" mandate that would have required companies to rewrite their contracts with outside providers. That would have been onerous, according to Birnbach — especially for large businesses that deal with many third parties. "Our clients have been somewhat up in arms," she said.

But not everyone has a dire view of the new rules. Chris Cahalin, director of network operations at Papa Gino's Inc., said the Dedham, Mass.-based restaurant chain was on track to meet the requirements before the latest extension of the compliance deadline.

One of the keys to achieving compliance is to make sure that senior executives are aware of the regulations, Cahalin said. "Once you get management involved at that level, it makes it easier to go along. Then you can go on to educating users" — while also seeking their help in determining where personal data exists in systems, he said.

A large Massachusetts-based retailer was also on track to comply with the new rules by May, according to a network administrator there who asked not to be identified. The admin noted that the retailer already meets many of the encryption requirements as a result of its compliance with the Payment Card Industry Data Security Standard, a set of mandates imposed on merchants by the major credit card companies.

The only new thing the retailer is doing because of the regulations, he added, is installing a file-transfer process management system from Ipswitch Inc. to ensure that data moving across its internal network is fully encrypted. The tool "basically uses encryption as part of the transport mechanism," the network admin said.

But the bank CPO said that in many ways, the Massachusetts rules are more prescriptive than the security and privacy provisions of the federal Gramm-Leach-Bliley Act are. And, he added, it took many years for the bank to become fully compliant with that law after it was approved in 1999.

Copyright © 2009 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon