Substantial revisions to the Massachusetts data breach notification law (M.G.L. Chapter 93H) are included in a
bill discussed in a public hearing held Tuesday.
SB 173 is a legislative response to widespread concerns in the security and legal community over the impact of the law on small businesses and its enforceability. The Massachusetts legislature could change the breach notification law (93H) that gave authority to OCABR but not the regulation itself. As a result, the revisions provide specific limits with regards to what 201 CMR 17 can require. Should SB 173 pass, OCABR would have to make changes to the regulation that interprets it in a way that is consistent with the changes to 93H, which requires that the department of consumer affairs "shall adopt regulation relative to any person that owns or licenses personal information."
State Senate Chairman Michael Morrissey, who presented the bill, said in the hearing that the data protection regulation from OCABR went "beyond its intent," as it extended jurisdiction beyond state borders and included specific technical requirements. Under the revision, the compliance standards for businesses would be set by any relevant federal laws. There is no specific timeline established for these revisions to go into effect to date.
Morrissey said at the hearing that the appointment of Barbara Anthony as the new undersecretary for OCABR, presented an opportunity to review and revise certain provisions of the data protection law.
When reached for comment, Anthony offered the following statement, "Our regulations were promulgated pursuant to enabling legislation that was passed in 2007. This new legislative proposal differs from the enabling legislation which guided our efforts. We do not have an official comment on the new legislation at this time except to say that it does not contain the same scope of consumer protections that our enabling legislation does."
At the May 12 hearing on Beacon Hill, Morrissey, state Rep. Theodore C. Speliotis and other state officials heard testimony from representatives of industry organizations and information security professionals.
"As a major technology state, we need to get this right," Anne Doherty Johnson, executive director of trade association TechAmerica New England, told SearchCompliance.com contributor Sarah Cortes, who also testified at the hearing. "The current regulations exceeded the intent of the legislature and are very problematic for the reasons outlined. TechAmerica believes this legislation will correct those and is a huge step in the right direction."
Cortes said in an interview with SearchCompliance.com that there was "unanimous support" for SB 173. You can read Senate testimony from Cortes, a senior technology manager at Cambridge, Mass.-based InmanTechnologyIT, online.
The changes presented by SB 173 are in deference to federal law. Where federal law is applicable, 93H will no longer apply. For example, this law would no longer affect health care providers in Massachusetts -- the HIPAA and HITECH acts would. The only organizations that 93H would now apply to are those to whom no federal law applies. "Another major revision is the reversal of provisions that would dictate specific technical tools or methods like encryption," Cortes said. "The revised law would steer clear of any such specific requirements. Small firms will find relief in the third change, which requires separate standards for them."
Under 201 CMR 17, encryption of the personally identifiable information (PII) of Massachusetts residents was required whether it was at rest, in transit or stored on a laptop or other mobile device. Under SB 173, encryption requirements are no longer specifically required. Section 1, Subdivision A has a new sentence: "The department shall not in its regulations, however, require covered persons to use a specific technology or technologies, or a specific method or methods for protecting personal information."
Cortes explained, "If you're a large enterprise and don't take 'reasonable methods' to protect the PII of residents, you're liable."
The removal of specific requirements for encryption from the statute is what would affect small businesses the most. "SMBs, prior to the revision, were subject to the same standard under 93H as anyone else," Cortes said. "That was true for one-person businesses all the way up to huge enterprises like Fidelity. Now the statute specifically says that the legislature must develop a separate standard for SMBs and that they will not be subject to the law in the same way."
"Data protection is a top priority for Associated Industries of Massachusetts and our members, who will continue to pursue the development of reasonable data privacy regulations in Massachusetts. The delay in the general effective date of May 1, 2009, to Jan. 1, 2010, does not resolve the substantive issues within the current rules that impose high costs and prescribe specific technology solutions. Massachusetts cannot afford additional unreasonable regulations on employers working to protect jobs and prevent layoffs while competing in a global economy. Senate Bill 173 would provide a necessary solution in the absence of regulatory rule changes. The legislation would ensure that clear guidelines for the development of identity theft regulations be utilized to provide consistency for those entities already regulated under federal law and further provide businesses with greater flexibility to strategically invest their limited operational and IT resources."
Speaking as an information security professional, Cortes noted that 201 CMR "was kind of doomed. It was too far-reaching to begin with. The revision retreats from what was probably never a workable standard to begin with. Dictating the technology was a way of guaranteeing the obsolescence of the statute."
Cortes said she believes that "it's likely that encryption will be required under any interpretation of MGL 93H's original language, which SB 173 preserves, that personal information must be protected 'in a manner fully consistent with industry standards.'" In coming years, encryption may be required under a revised version of a federal data protection law similar to the one introduced by U.S. Sen. Dianne Feinstein in 2003. Cortes and other security professionals recommend that small organizations and enterprises encrypt now to meet inevitable compliance requirements.
Let us know what you think about the story; email: Alexander B. Howard, Associate Editor