The Office of Consumer Affairs and Business Regulation (OCABR) issued revised regulations last month. OCABR Undersecretary Barbara Anthony presided over a public hearing today to hear feedback on the latest amendments to the regulations.
"If it's not the ultimate version, then it's the penultimate one," said Robert Kramer, vice president for public policy at computer industry trade association CompTIA. Kramer had previously testified against the regulations.
In his testimony today, Kramer said, "the latest 201 CMR 17.00 regulations are a significant improvement over previous drafts." Kramer's group is still looking for greater clarity on what is meant by "reasonable steps" in Section 17.03 (f)(1) of the regulation, however, which covers the acquisition of services from service providers and the relationship of providers to data owners and data.
The request of CompTIA is that Section 17.03 (f)(1) be modified to require industry accreditations or "trustmarks" for service providers retained to manage, maintain or secure personally identifiable information (PII). Such trustmarks "would provide small businesses with an excellent method of practical guidance in the selection of third-party service providers," Kramer said in his testimony.
Other testimony focused on the same section. "We do not own PII," said Jacob Braun, president and chief operating officer of Waka Digital Media Corp., a service provider in Amherst, Mass. "We maintain it for our clients. They own it." Braun said he would like to further clarify the service provider provision to enable data owners and service providers to measure their own liability and exposure to the statute.
In response to the testimony regarding the language of Section 17.03 (f)(1) and (2) on service providers, Anthony pointed out that the language in the Massachusetts regulation was taken "verbatim" from the Federal Trade Commission Safeguards Rule for customer information. "We stole it," she quipped.
The Investment Company Institute, which strongly opposed the regulation in early versions, now praises the regulation's "better flexibility and greater consistency." The risk-based framework leaves small businesses better able to comply with the regulation by building a security system within budget and correlated to the amount of PII in their possession, testified Tamara Salmon, senior associate counsel for ICI.
Other groups, including the TechAmerica New England trade association and the Retailers Association of Massachusetts, also showed support for the amended regulations. "The approach makes sense for business while protecting consumer data, and by being technology neutral," said Anne Doherty Johnson, executive director of TechAmerica New England.
In its original form, 201 CMR 17.00 was hailed by state officials as the toughest in the nation, specifying a proactive approach and mandating encryption technologies. The regulation, however, made little provision for the size of a business or the amount of personal information in its possession. Business leaders reacted loudly and swiftly, until the latest risk-based approach was crafted.
Under the amendments, the revised regulations are set to go into effect March 1, which is the third enforcement date set this year. The original May 1, 2009, deadline was moved to Jan. 1. Given the widespread support demonstrated at the public hearing today, business owners should be moving quickly toward compliance now, as further extensions look increasingly unlikely.
Let us know what you think about the story; email: Scot Petersen, Executive Editor