Massachusetts Tweaks Its Data Security Regs

Massachusetts Tweaks Its Data Security Regs

The Commonwealth of Massachusetts, home of the infamous 2007 TJX data security breach, is the first state to require detailed regulation over how personal data is secured. As an incubator of a new kind of law, it has found that getting the regs right is no easy task. The regs have been revised once already, and the deadline for compliance has been extended once before.

Our friend from her FTC days, Barbara Anthony, now Massachusetts Undersecretary of the Office of Consumer Affairs and Business Regulation, took up her post this year, and heard various concerns expressed by many small businesses and others about the effect of even the revised regs. So, yesterday she announced that a second revision to the Massachusetts data security regulations will occur, and that the original compliance deadline of January 1, 2010 will be extended again, this time to March 1, 2010. The regulations now will have a “risk-based approach”, which is intended to make it easier for small businesses that may not handle a lot of personal information about customers. Several specific provisions required to be included in a business’s Written Information Security Program have been removed from the regulation and are intended as guidance only. The scope of the regulations was revised to cover “persons who own or license personal information,” removing previous regulatory language related to those that “store or maintain personal information”. (Thus, if a business simply uses swipe technology for credit cards only, and does not have actual custody or control over the personal information, then a business does not own or license personal information with respect to that data. Still, Payment Card Industry (PCI) standards would have to be observed.) The encryption definition was amended to be technology neutral and, in addition, technical feasibility will apply to all computer security requirements.

As to portable devices, only those that contain personal information of customers or employees need to be protected and only where “technically feasible”. And as to back-up tapes, there is a requirement to encrypt backup tapes on a prospective basis, but with respect to the transport of a backup tape from storage, only if it is technically feasible to encrypt must one do so prior to the transfer. If it is not technically feasible and there is sensitive personal information on the tapes, the regs suggest that using an armored car service (rather than an ordinary courier) would be in order.

Getting granular is hard, as the regulators in Mass. have found, but kudos to them for trying. Interested parties will have another opportunity to weigh in on this round of revisions at a public hearing in Boston on September 22d and written comments will be accepted until September 25th. For more details, click here.

Leave a Reply


Privacy Calendar

Apr
22
Tue
10:00 am Privacy Principles in the Era of Massive Data @ Georgetown Law Center
Privacy Principles in the Era of… @ Georgetown Law Center
Apr 22 @ 10:00 am – 12:00 pm
Experts from the public and private sectors will join public policy experts from the Georgetown University McCourt School of Public Policy and privacy law experts [...]
Apr
24
Thu
all-day 6th Biannual International Surveillance & Society Conference
6th Biannual International Surve…
Apr 24 – Apr 25 all-day
The 6th Biannual International Surveillance & Society conference hosted by the University of Barcelona and supported by the Surveillance Studies Network is currently calling for [...]
Apr
29
Tue
all-day IAPP Europe Data Protection Intensive 2014
IAPP Europe Data Protection Inte…
Apr 29 – May 1 all-day
The IAPP Europe Data Protection Intensive features timely programming centred on the top issues impacting the European data protection community, with a focus on addressing [...]
May
7
Wed
all-day IAPP Canada Privacy Symposium 2014
IAPP Canada Privacy Symposium 2014
May 7 – May 9 all-day
The IAPP Canada Privacy Symposium is the leading conference for education, debate and discussion of issues that matter most to Canadian privacy and data protection [...]
Jun
5
Thu
all-day Privacy Law Scholars Conference (7th Annual) @ The George Washington School of Law
Privacy Law Scholars Conference … @ The George Washington School of Law
Jun 5 – Jun 6 all-day
  UC Berkeley School of Law and The George Washington University Law School will be holding the seventh annual Privacy Law Scholars Conference (PLSC) on [...]
Jun
8
Sun
all-day Computers, Freedom, and Privacy 2014 Conference @ Airlie Center
Computers, Freedom, and Privacy … @ Airlie Center
Jun 8 – Jun 10 all-day
Mark your calendars! The 2014 Computers, Freedom, and Privacy Conference will be held June 8-10 at the Airlie Center in Warrenton, Virginia. The Airlie Center [...]
Jan
28
Wed
all-day Data Privacy Day
Data Privacy Day
Jan 28 all-day
“Data Privacy Day began in the United States and Canada in January 2008, as an extension of the Data Protection Day celebration in Europe. The [...]
Jan
28
Thu
all-day Data Privacy Day
Data Privacy Day
Jan 28 all-day
“Data Privacy Day began in the United States and Canada in January 2008, as an extension of the Data Protection Day celebration in Europe. The [...]

View Calendar