Print
Email
Print Edition Stories
Map of New England mapping companies
MHT's Efrain Viscarolasaga: Tech companies may have to wait for stimulus funds
MHT's Galen Moore: Service allows customers to pay taxi via cell phone
Information technology service providers are scratching their heads and applauding at the same time, over the latest revision to Massachusetts’ pending data security regulations.
It is the second time the state Office of Consumer Affairs and Business Regulation has brought the rules back for an overhaul. The latest changes extend by three months the deadline for implementing the regulations — to March, 2010 — and seek to allay fears attached to one of the most controversial provisions.
The Massachusetts regulations, first promulgated last fall based on a legislative directive, will go further than any other state by requiring any company that handles state residents’ sensitive data to take measures to protect it. Measures include encryption and extend to ensuring that all third-party IT service providers adequately protect sensitive data — a clause that drew criticism from business owners as an onerous requirement.
The new regulations tie state standards to the Federal Trade Commission’s rules, applied to financial institutions as part of the 1999 Gramm-Leach-Bliley act. The safeguards require businesses to take “reasonable” steps selecting vendors, and ensure by contract that their IT vendors will protect sensitive data, said Consumer Affairs Undersecretary Barbara Anthony.
The previous version, drafted in February, caused concern by requiring businesses to take “all reasonable steps” to ensure third-party service providers would protect state residents’ data.
The new regulations also allow a two-year grace period for companies to begin including data security protection in their IT services contracts.
But the wording of the changes still has some in the IT industry asking questions. The intent is clear, said Ted Bush, policy manager at the Washington-based Computing Technology Industry Association. While the new regulations may answer concerns for buyers of IT services, IT vendors are unsure how the regulations will be interpreted for them, he said.
“They’ve defined the duty for customers, but the IT professional’s duties are still undefined,” Bush said.
However, he praised the new regulations for tying Massachusetts’ data privacy law to federal standards.
RSS Feeds
Comments
Please Login/Register to post comments.
No comments have been added or approved.