After more than a year of delay and several modifications, a contentious Massachusetts data protection regulation appears set to go into effect March 1.
The law is aimed at getting companies to better protect consumer data. It affects all businesses that store personal information on Massachusetts residents, regardless of where the companies might be based.
The rules (see PDF) require businesses to encrypt sensitive personal information on Massachusetts residents that is stored on portable devices such as PDAs and laptops or on storage media such as memory sticks and DVDs. Any personal information that is transmitted over a public or wireless network will also need to be encrypted.
Companies are required to take reasonable measures to control end-user access to sensitive data and to protect authentication information that can be used to gain access to the data. Businesses will also need to limit the amount of personal data they collect and must maintain an inventory of the information, monitor its usage and have a formal security plan for protecting the data.
The rules were crafted by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) and were originally supposed to go into effect Jan. 1, 2009. The deadline was extended twice as a result of considerable resistance from businesses covered under the law. The first extension pushed the deadline back to last May, and the second one pushed it to March 1.
One of the biggest concerns had to do with a provision — that has since been modified — requiring businesses to ensure that all third parties with access to personal information are also compliant with the Massachusetts law. The provision would have required companies to rewrite their vendor contracts and to take steps to ensure their service providers were compliant with the Massachusetts regulations.
As it stands, businesses only have to take “reasonable steps” to verify that their third-party service providers have the ability to protect personal information via measures that are comparable to those prescribed by the OCABR. Companies have until March 2012 to include language in their third-party contracts obligating their vendors to employ reasonable measures for protecting personal information.
Several trade associations and companies have blasted the bill as being overly prescriptive, intrusive and costly to implement. Last January, a coalition of 70 organizations, including the Retailers Association of Massachusetts, the Massachusetts Bankers Association, the Greater Boston Chamber of Commerce and several companies — including Wal-Mart, Microsoft, Target and Google — sent a letter to the OCABR demanding a “rigorous shareholder analysis” of the bill. The letter listed six areas of concern, including the mandatory encryption and data inventorying provisions.
Mobile devices still a concern
Boston attorney Deborah Birnbach, who has been advising clients on the regulations, said today that many companies appear to have put considerable effort into getting ready for the new provisions.
One remaining area of concern pertains to the encryption requirement for mobile devices. Many companies are struggling to figure out how to efficiently encrypt data that's stored on mobile devices such as BlackBerries and other smartphones, she said. Some companies are also struggling to ensure that personal data stored on backup storage media is encrypted, she said.
The regulations give the Massachusetts attorney general's office enforcement authority for the bill. It remains unclear what might provoke an enforcement action by the AG's office or what such enforcement might entail, Birnbach said. The most likely scenario is that the AG's office will use its authority to investigate data breaches to see if a breached entity was compliant with the requirements of the statute, she said.