Print
Email
Print Edition Stories
Wednesday, November 10, 2010
Smaller companies challenged to comply with Massachusetts' data privacy rules
By Jill Gambon, Special to Mass High Tech
UMass President Jack Wilson on Entrepreneurship
How Massachusetts is landing stimulus funding
Eight months after the state’s tough, new data privacy regulations went into effect, many businesses are still sorting through the rules and working to bring their firms into compliance.
The regulations, which went into force in March, are intended to protect a consumer’s personal information from identity theft and other privacy breaches and to spell out steps that businesses must take to ensure data is secured. Some large companies — particularly those in the finance and health care industries that are already subject to data security laws like the Health Insurance Portability and Accountability Act (HIPAA) — had privacy measures in place, which helped get them ready for Massachusetts’ regulations. However, for many smaller and midsize companies that have not been subject to data security laws before, complying with the rules is a longer and often more painful process.
“For the folks that were already doing a good job (on data privacy protection) and just had to extend the umbrella, there have not been a lot of bumps in the road,” said Josh Shaul, vice president at Application Security Inc., a New York-based firm that provides database monitoring, assessment and security software. However some businesses that are complying with privacy regulations for the first time and have limited in-house technology expertise “are running around with their hair on fire, trying to figure out what to do first,” said Shaul, who is based in the company’s Bedford office.
“We’ve seen a substantial uptick in activity in clients seeking guidance in how to comply,” said Carlos Perez-Albuerne, a partner at Choate Hall & Stewart LLP. “There’s a whole swath of businesses that never had to deal with anything like this before.”
Under the regulations, organizations — no matter where they are based — that store personal information about Massachusetts residents have to write security policies detailing how the data will be protected, encrypt the data when it is stored on laptops or other portable devices or transmitted over public networks, and monitor their systems for breaches. Believed to be among the most stringent data privacy regulations in the U.S., the rules have lawmakers and businesses taking note. The regulations are now driving computer security policy agendas across the country, said Mark Schreiber, a partner at Edwards Angell Palmer & Dodge who chairs the firm’s privacy and data protection group. “The impact is much broader than we ever imagined. Who would have thought it would have catalyzed so much activity?” he said. “This will be with us for decades or longer.”
The regulations have “long reach and deep roots,” said Perez-Albuerne. Thousands of businesses that store Massachusetts citizens’ personal data on systems in remote locations across the country — or across the globe — are still sorting through the impact on their data and security architectures. Some businesses may have legacy data stored in outdated formats that may need to be encrypted, he pointed out. “Those issues have to be taken into consideration at the (system) design level,” he said. “Businesses have to spend time on this and it can be costly.”
Since March, Cutugno Court Reporting and Sten-Tel Inc., a Springfield-based firm that provides document management and transcription systems, has spent “easily into the six-figure realm” on technology and consulting services to comply with the privacy regulations, said Blake Martin, the company’s CIO. The firm hired a part-time chief security officer to provide the necessary expertise to get its systems into compliance, Martin said. While compliance efforts have cost time and money, there have been unexpected upsides. For instance, the process of classifying data helped identify areas that were ripe for improvement. “You learn where your data goes and what your work flows are,” said Martin. “We learned that some processes were inefficient.”
In evaluating security risks, the company also discovered it was vulnerable from a business-continuity standpoint if key employees were to leave the firm. The company has taken steps to address those issues, Martin said.
To date, state regulators have not yet taken any public enforcement actions against organizations that have failed to comply with the rules. The state attorney general’s office, which is charged with enforcing the regulations, and the Office of Consumer Affairs and Business Regulation, which developed the regulations, have been focusing on compliance efforts, reaching out to trade groups, bar associations and others to spread the word. “We are making progress,” said Barbara Anthony, undersecretary of the Office of Consumer Affairs and Business Regulation. Small businesses are a particular focal point, since many of them have never before had to comply with such regulations, Anthony said.
Data Privacy Timeline
August 2007
Legislature passes data privacy act in the wake of security breaches at TJX and other companies.
September 2008
Regulations announced by the Massachusetts Office of Consumer Affairs and Business Regulation will require companies to safeguard with firewalls all personal data belonging to any Massachusetts resident, and encrypt it whenever it is transmitted or saved on a portable device such as a laptop or a flash drive.
November 2008
State extends the January 2009 deadline for privacy regulations to take effect, setting May 1, 2009, as the new deadline.
February 2009
The deadline is extended again to Jan. 1, 2010, and officials remove a requirement that businesses certify third-party vendors’ compliance.
August 2009
Officials set yet another new deadline, March 1, 2010. They also loosen the state standards, tieing them to federal rules requiring businesses to take “reasonable” steps selecting vendors, and ensure by contract that their IT vendors will protect sensitive data.
March 2010
Massachusetts Data Privacy Act, 201 CMR 17.00, takes effect.
Jill Gambon is a freelance writer in West Newbury.
Comments
If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.
RSS Feeds
