Friday, December 5, 2008

How I See It

Mass. data security regulations need work

Video Gallery

2008 High Tech All-Stars in their own words: Chris Brogan

How is the economic crisis affecting tech companies?

Flash Slideshow: Mass High Tech All-Stars Thought Leadership Roundtable

Streaming Video: Mass High Tech All-Stars Thought Leadership Roundtable

Related News

New Bedford, Fall River pursue biotech funding [December 13, 2008]

Mass: Get ready for data privacy regs [November 7, 2008]

AG fines South Coast wind turbine installer company [October 10, 2008]

Tech Citizenship: Local techs lending a hand [October 10, 2008]

ITunes reach the blind through Apple, Mass. AG deal [September 26, 2008]

In late September, the Massachusetts Office of Consumer Affairs and Business Regulation issued regulations to implement the Data Breach Law enacted in response to information thefts from business and government agencies. The regulations, the strictest in the nation, require every employer in the state, in fact every entity or person holding any sort of personal information, to take action to prevent identity theft.

Associated Industries of Massachusetts and the broader business community know that the protection and active security of personal data is a top priority, but had serious concerns about the specific regulations. The most immediate issue was the initial compliance deadline of Jan. 1, 2009, which gave employers only about three months to act. Responding to requests from AIM, its members, and others, the Patrick Administration has extended the deadline for compliance to May 1, 2009, and has provided additional time for compliance with provisions concerning encryption and vendor certification. AIM appreciates the administration’s action, as well as the positive engagement of Attorney General Martha Coakley’s office, Rep. Michael Rodrigues and Sen. Michael Morrissey on this matter.

Postponing the deadline does not change that fact that Bay State employers face privacy regulations that go far beyond established federal standards, and will require in most instances significant operational and technological changes for entities that have custody of personal information, including employee records and customer data.

But most employers are completely unaware of these new regulations or mistakenly believe that if their firm is regulated by federal law then they are in compliance. These specific regulations represent a fundamental shift for every employer in Massachusetts and business transactions that occur within the commonwealth. The challenge of compliance is further exacerbated by the regulation’s ambiguity, which increases the risk of liability and affords little assurance that a business is in full compliance.

As a remedy, in line with the Legislature’s direction to adopt regulations consistent with current federal standards, AIM urges the Office of Consumer Affairs and Business Regulations to revise the regulations to track the Gramm-Leach-Bliley Act Safeguards Rule, the national standard for data security regulation, which has been in use for more than five years and provides a more reasonable framework. The current situation requires such action because as written, the regulations mandate special data security protocols solely for data that pertains to Massachusetts residents.

Regrettably, the regulations do not envision the complex limitations of current technology or the many national and global business relationships that Massachusetts businesses depend on.

The present regulations mandate immediate investments and operational changes that would demand new computers that can handle encryption software and would require employers to amend all vendor contracts to include a written certification. In a time of economic crisis, these prescriptive mandates would impose significant and unnecessary costs on all employers including public and private sectors, especially employers in the health care, nonprofit and higher education areas.

Moreover, the proposed regulations although well-intentioned, would actually have several negative unintentional consequences harming data security.

The delay in the compliance deadline provides time to address additional issues in order to assure that the protection and active security of personal data is pursued effectively by all employers.

 

Bradley MacDougall is associate vice president for government affairs at Associated Industries of Massachusetts, a nonpartisan, nonprofit employer association of 7,000 Bay State businesses and institutions.