Print
Email
Print Edition Stories
MHT's Marc Songini: Mass. bio firms prep for lifting of stem cell ban
MHT's Doug Banks: Advertising tech traces viewer response
MHT's Efrain Viscarolasaga: Preparing the smart grid for more power
The state hopes changes to Massachusetts’ data privacy regulation plan will calm business community fears over the cost of the new controls, but watchers of the process say the government may have made things worse. One thing seems certain: the recent changes aren’t likely to be the last word on regulating sensitive data in the Bay State.
The regulations mandate all “personal information” belonging to Massachusetts residents be encrypted whenever it is stored on portable devices, transmitted wirelessly or shared on public networks.
Changes enacted just in time to beat a deadline of Thursday, Feb. 12, pushed the effective date back eight months, from May 1 to Jan. 1, 2010. They also removed a requirement that businesses certify third-party vendors’ compliance.
The latter move was aimed to address an issue raised in a public hearing with business leaders held Jan. 15 at the State House. The change was designed to make the third-party regulations more adaptable to companies of various sizes and business models, said Massachusetts Consumer Affairs undersecretary Daniel Crane.
Consumer Affairs has addressed the major concern of business owners by pushing back the deadline, said Nancy Wilsker, a partner in the corporate law practice of Brown Rudnick LLP. However, changes in the third-party vendor regulation may have made things worse, she said.
The earlier version required businesses to take “reasonable steps” to ensure third-party vendors were compliant, and then to obtain certification from each vendor in writing. The revision removed the certification step, but added a word: the new version requires businesses take “all reasonable steps.”
“The word “all” in those two places is really significant,” Wilsker said. “If there are five possible things to do out there and you’ve done the top three, then maybe you figure there’s no reason to do two more because I know what answer I’m going to get. Once you say ‘take all reasonable steps’ I don’t know if you can stop there anymore.”
Consumer Affairs general counsel David Murray disagreed. The amended statute conforms to the standard of reasonableness, meaning conduct is evaluated in context, he wrote in an e-mail.
According to Murray, the intent is to require businesses to apply to their vendors the same scrutiny they’d give their own processes. “The standard of care placed on the recipient of personal information is not diminished because that person hands over that information to a vendor,” he wrote.
Legal semantics aside, the need for companies to keep an eye on their vendors is real, said Mike Logan, president of delivery and operations at Axis Technology LLC, a Boston-based data security software and services company.
“The law will force everybody to get to the same level,” Logan said. “There’s a whole chain of data going between companies. The weakest company is the link that will get breached.”
Comments
If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.
RSS Feeds
