Massachusetts Tweaks Its Data Security Regs

Massachusetts Tweaks Its Data Security Regs

The Commonwealth of Massachusetts, home of the infamous 2007 TJX data security breach, is the first state to require detailed regulation over how personal data is secured. As an incubator of a new kind of law, it has found that getting the regs right is no easy task. The regs have been revised once already, and the deadline for compliance has been extended once before.

Our friend from her FTC days, Barbara Anthony, now Massachusetts Undersecretary of the Office of Consumer Affairs and Business Regulation, took up her post this year, and heard various concerns expressed by many small businesses and others about the effect of even the revised regs. So, yesterday she announced that a second revision to the Massachusetts data security regulations will occur, and that the original compliance deadline of January 1, 2010 will be extended again, this time to March 1, 2010. The regulations now will have a “risk-based approach”, which is intended to make it easier for small businesses that may not handle a lot of personal information about customers. Several specific provisions required to be included in a business’s Written Information Security Program have been removed from the regulation and are intended as guidance only. The scope of the regulations was revised to cover “persons who own or license personal information,” removing previous regulatory language related to those that “store or maintain personal information”. (Thus, if a business simply uses swipe technology for credit cards only, and does not have actual custody or control over the personal information, then a business does not own or license personal information with respect to that data. Still, Payment Card Industry (PCI) standards would have to be observed.) The encryption definition was amended to be technology neutral and, in addition, technical feasibility will apply to all computer security requirements.

As to portable devices, only those that contain personal information of customers or employees need to be protected and only where “technically feasible”. And as to back-up tapes, there is a requirement to encrypt backup tapes on a prospective basis, but with respect to the transport of a backup tape from storage, only if it is technically feasible to encrypt must one do so prior to the transfer. If it is not technically feasible and there is sensitive personal information on the tapes, the regs suggest that using an armored car service (rather than an ordinary courier) would be in order.

Getting granular is hard, as the regulators in Mass. have found, but kudos to them for trying. Interested parties will have another opportunity to weigh in on this round of revisions at a public hearing in Boston on September 22d and written comments will be accepted until September 25th. For more details, click here.

Leave a Reply


Privacy Calendar

Oct
20
Mon
An Evening Not to be Forgotten @ Edmund A. Walsh Memorial
An Evening Not to be Forgotten @ Edmund A. Walsh Memorial
Oct 20 @ 5:00 pm – 6:30 pm
Join us for an evening of wine and cheese to discuss the digital Right to be Forgotten in the heart of Georgetown University’s main campus. The right to ‘forget’ personal information online has been controversial the[...]
Oct
21
Tue
Consumer Action’s 43rd Annual Aw... @ Google
Consumer Action’s 43rd Annual Aw... @ Google
Oct 21 @ 6:00 pm – Oct 21 @ 8:00 pm
To mark its 43rd anniversary, Consumer Action’s Annual Awards Reception on October 21, 2014, will celebrate the theme of “Train the Trainer.” Through the power of individual and small group trainings, Consumer Action each year is[...]
Oct
24
Fri
Web Privacy & Transparency Confe... @ Princeton University
Web Privacy & Transparency Confe... @ Princeton University
Oct 24 @ 9:00 am – 4:00 pm
On Friday, October 24, 2014, the Center for Information Technology Policy (CITP) at Princeton University is hosting a public conference on Web Privacy and Transparency. It will explore the quickly emerging area of computer science research that[...]
Oct
29
Wed
Big Data and Privacy: Navigating... @ Schulze Hall
Big Data and Privacy: Navigating... @ Schulze Hall
Oct 29 @ 4:00 pm – 7:00 pm
The rapid emergence of “big data” has created many benefits and risks for businesses today. As data is collected, stored, analyzed, and deployed for various business purposes, it is particularly important to develop responsible data[...]
Oct
30
Thu
The Privacy Act @40: A Celebrati... @ Georgetown Law
The Privacy Act @40: A Celebrati... @ Georgetown Law
Oct 30 @ 9:00 am – 5:30 pm
The Privacy Act @40 A Celebration and Appraisal on the 40th Anniversary of the Privacy Act and the 1974 Amendments to the Freedom of Information Act October 30, 2014 Agenda 9 – 9:15 a.m. Welcome[...]
Nov
7
Fri
all-day George Washington Law Review 201... @ George Washington University Law School
George Washington Law Review 201... @ George Washington University Law School
Nov 7 – Nov 8 all-day
Save the date for the GW Law Review‘s Annual Symposium, The FTC at 100: Centennial Commemorations and Proposals for Progress, which will be held on Saturday, November 8, 2014, in Washington, DC. This year’s symposium, hosted in[...]
Nov
11
Tue
You Are Here: GPS Location Track... @ Mauna Lani Bay Hotel & Bungalows
You Are Here: GPS Location Track... @ Mauna Lani Bay Hotel & Bungalows
Nov 11 @ 10:15 am
EFF Staff Attorney Hanni Fakhoury will present twice at the Oregon Criminal Defense Lawyers Association’s Annual Sunny Climate Seminar. He will give a presentation on government location tracking issues and then participate in a panel[...]

View Calendar