Data privacy regs vary around New England

By Galen Moore

Video Gallery

MHT's Efrain Viscarolasaga: How social networking is changing business

MHT's Doug Banks: 10 Women to Watch in tech

MHT's Jim Connolly: Pink slip parties make a comeback

How I See It: State tax combined-reporting is unwise, misdirected [August 28, 2009]

Mass. legislator: Revisit data security law [June 19, 2009]

Inside Finance Strategies: Court backs employers on noncompete agreements, mostly [June 19, 2009]

MITX announces technology award finalists [May 18, 2009]

New Englanders have a reputation for being taciturn, but when it comes to data Massachusetts takes the cake. No state loves its privacy more than the Bay State, which last year passed the nation’s most exacting data privacy law, requiring companies to check off a honey-do list of steps designed to protect personal data belonging to commonwealth residents.

Connecticut and Rhode Island preceded Massachusetts in joining the minority of states that have enacted proactive data privacy laws, requiring businesses to protect information like Social Security and credit card numbers. Maine, Vermont and New Hampshire, like nearly all states, have only reactive data laws, requiring companies to take certain steps — like reporting a breach to authorities — after data has been compromised.

Rhode Island’s law, passed in 2006, requires businesses that own or license Rhode Islanders’ personal information to “provide reasonable security” for that data. Connecticut’s law, passed shortly before Massachusetts enacted data privacy legislation last summer, requires businesses to create and publicly display a data protection policy, but does not specify what that policy should entail.

The Connecticut and Rhode Island laws stop far short of the controversial requirements in Massachusetts, where new regulations are scheduled to take effect by January 2010.

“They’re not technically one-liners, but they’re very general,” Goodwin Procter LLP partner David Goldstone said of the Connecticut and Rhode Island statutes, which are similar to laws passed in Texas and California. “Essentially they say companies have to have reasonable protections in place.”

The Connecticut Legislature had aimed to go further, said Gary Berner, legislative program manager in the state Department of Consumer Protection. The state’s data privacy law was passed at the close of the legislative session last July. A companion law, intended to lay out specific requirements, did not get through in time. So far this year, a replacement has not been proposed, he said.

“We admit freely this particular law that took effect is incomplete,” Berner said. “Nonetheless, it is the law.” To date, the state has not received any complaints alleging violation of the new law, he said. Without an opportunity to prove the law against a particular case, the statute’s requirements remain to some extent subjective.

Connecticut’s law has brought increased concern from the Nutmeg State’s insurance companies, said Axis Technology LLC president Michael Logan. The Boston-based security company provides data-masking technology for companies, designed to limit access to sensitive data.

Still, Axis hasn’t seen a rush by insurers to spend dollars on new security measures, Logan said. “Basically they’re still kind of in the mode that we’re in a recession,” he said. “They’re not going to do it right away, but they’re in the mode where they need to figure out what they want to do.”

Connecticut and Rhode Island laws are less onerous to businesses than the checklist set down by Massachusetts, Goldstone said. Massachusetts’ regulations spell out steps companies must take, including designating employees to manage data security programs, encrypting data and monitoring for breaches.

A data breach in Connecticut or Rhode Island might leave it to the courts to decide whether a company complied with the law — but with such a general legal standard, companies aren’t likely to get caught in a “gotcha situation,” Goldstone said.

“(In Massachusetts), it’s a checklist,” he said. “If you do nine things and you miss No. 10, that’s going to stand out. Whereas, ‘reasonable,’ well, if you do nine things out of 10, that’s pretty reasonable.”

At a Glance

• Proactive data privacy laws: Require businesses to take steps to protect personal data under their control. On the books in Connecticut, Massachusetts and Rhode Island.

• Reactive data privacy laws: Specify only the required response in the event of a breach – usually include reporting the breach to authorities. On the books in Maine, New Hampshire and Vermont.

Comments

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.