Print
Email
Print Edition Stories
MHT's Marc Songini: Technology to keep seniors healthy
MHT's Efrain Viscarolasaga: Tech companies may have to wait for stimulus funds
MHT managing editor Rodney Brown on NECN: 22 tech companies give back to community
After months of outspoken complaints from business leaders who said Massachusetts data security laws were next to impossible to follow, one lawmaker wants to make compliance easier for the smallest and largest of businesses.
A bill sponsored by Sen. Michael Morrissey, D-Quincy, would rewrite the law passed in 2007, essentially creating separate paths to compliance for federally regulated entities, small businesses and all other businesses. Any businesses that must comply with federal laws safeguarding personal information would be deemed in compliance with the state laws, and small businesses would have separate regulations that reflect “small businesses’ unique situation and resources,” the bill states.
Some of the current law’s critics, including business organizations, say the changes would provide more precision than the one-size-fits-all policy.
“I think it lays out to a more definitive degree what we believe were the Legislature’s intentions,” said Jon Hurst, president of the Massachusetts Retailers Association. “Some of the early cuts went beyond what the Legislature intended.”
The data security law was passed in the wake of the massive breach at The TJX Cos. Inc. It requires all businesses that hold personally identifiable information, essentially full names with financial or government identification information, to disclose data breaches, as well as adopt a minimum standard of data protection. After a series of public hearings and stakeholder meetings, the first regulations included a mix of specific technology standards, like up-to-date encryption, firewall and anti-virus programs, and third-party certification of data held by outside entities, with a very broad — and some critics say vague — definition of compliance covering all entities. The regulations were extended after initially being scheduled to go into effect Jan. 1, 2009.
“What they did is, they had a lot of play in the joints,” said David Goldstone, an attorney in Goodwin Procter LLP’s privacy and data security practice.
That looseness, and the unclear cost of the technology required, had small-business leaders concerned that mom-and-pop shops would fall short, especially with the deteriorating economic climate. Late last year, the state extended the deadline until May 1, and again until Jan. 1, 2010. Regulators also clarified some of the rules around encryption.
But small-business leaders say the new bill provides opportunities for state regulators to draft rules specific to their particular risk and economic realities.
“Smaller businesses with limited resources, and limited likelihood of being the source of identity theft, should be differentiated,” said Bill Vernon, state director for the National Federation of Independent Business, at a public hearing on the bill last month.
For businesses covered by federal identity protection laws like the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act, the bill states those firms can use that compliance to meet state laws.
“They make a lot of sense, certainly having different standards for different businesses,” said Sarah Cortes of Cambridge IT security consulting firm Inman Technology IT. “It also continues to make Massachusetts a place where people can do business without undue costs.”
RSS Feeds
Comments (2)
Please Login/Register to post comments.