Print
Email
Print Edition StoriesResponding to pleas from the business community, the state Office of Consumer Affairs and Business Regulation today altered data privacy regulations designed to protect Massachusetts residents.
The new regulations responded to two key concerns raised by businesses, by extending the deadline for the regulations to take effect and removing a requirement that businesses certify third-party vendors’ compliance. However, a third controversial component remained intact, placing the data security requirements on any business that handles Massachusetts residents’ sensitive data, regardless of where that business is located.
Businesses flooded Consumer Affairs with complaints in a Jan. 15 public hearing on the new regulations, after their start date was extended to May 1 from the original date of Jan. 1, 2009. Business leaders told regulators the requirements would be an injurious burden in the current sagging economy.
The new regulations will still make Massachusetts data controls the tightest in the U.S., but Consumer Affairs undersecretary Daniel Crane said he doesn’t think the Bay State is setting the bar high.
“We think this is probably a baseline of minimum standards that companies should be following,” he said. “We think that we find from education programs we’re conducting that many companies are up to these standards and sometimes more.”
Today’s changes push the regulations back eight months, setting an effective date of Jan. 1, 2010, for the mandate that all “personal information” belonging to Massachusetts residents be encrypted whenever it is stored on portable devices, transmitted wirelessly or shared on public networks.
The regulations define personal information as any combination of a name with a social security number, a bank account number or a credit card number.
The new regulations also removed a stipulation that businesses must obtain certification in writing from all third-party vendors, confirming that each vendor is in compliance with the letter of the regulations. Regulators replaced that piece with a requirement that companies investigate third-party vendors to establish that each is able to protect information to the regulatory standard.
“It’s fairly subjective,” Crane said of the new third-party vendor requirement. “It’s a matter of what the particular relationship is – who’s the third-party service provider. Is it somebody who’s well-known, who can provide an industry-accepted certification, or is it somebody less well-known?”
Comments
If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.
RSS Feeds
