Mass. Senate seeks to amend, weaken data breach notification law

By Alexander B. Howard, Associate Editor 14 May 2009 | SearchCompliance.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

More data protection resources Panels describe risks of noncompliance with Mass. data protection law Are you out of the loop on state data breach notification laws?

A draft of Massachusetts Senate Bill 173 (SB 173) proposes revisions to specific encryption requirements and the jurisdiction of the law beyond state borders. If passed, these revisions would result in fundamental changes to the data protection regulation (201 CMR 17) promulgated by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR).

SB 173 is a legislative response to widespread concerns in the security and legal community over the impact of the law on small businesses and its enforceability. The Massachusetts legislature could change the breach notification law (93H) that gave authority to OCABR but not the regulation itself. As a result, the revisions provide specific limits with regards to what 201 CMR 17 can require. Should SB 173 pass, OCABR would have to make changes to the regulation that interprets it in a way that is consistent with the changes to 93H, which requires that the department of consumer affairs "shall adopt regulation relative to any person that owns or licenses personal information."

State Senate Chairman Michael Morrissey, who presented the bill, said in the hearing that the data protection regulation from OCABR went "beyond its intent," as it extended jurisdiction beyond state borders and included specific technical requirements. Under the revision, the compliance standards for businesses would be set by any relevant federal laws. There is no specific timeline established for these revisions to go into effect to date.

Morrissey said at the hearing that the appointment of Barbara Anthony as the new undersecretary for OCABR, presented an opportunity to review and revise certain provisions of the data protection law.

When reached for comment, Anthony offered the following statement, "Our regulations were promulgated pursuant to enabling legislation that was passed in 2007. This new legislative proposal differs from the enabling legislation which guided our efforts. We do not have an official comment on the new legislation at this time except to say that it does not contain the same scope of consumer protections that our enabling legislation does."

At the May 12 hearing on Beacon Hill, Morrissey, state Rep. Theodore C. Speliotis and other state officials heard testimony from representatives of industry organizations and information security professionals.

"As a major technology state, we need to get this right," Anne Doherty Johnson, executive director of trade association TechAmerica New England, told SearchCompliance.com contributor Sarah Cortes, who also testified at the hearing. "The current regulations exceeded the intent of the legislature and are very problematic for the reasons outlined. TechAmerica believes this legislation will correct those and is a huge step in the right direction."

Cortes said in an interview with SearchCompliance.com that there was "unanimous support" for SB 173. You can read Senate testimony from Cortes, a senior technology manager at Cambridge, Mass.-based InmanTechnologyIT, online.

The changes presented by SB 173 are in deference to federal law. Where federal law is applicable, 93H will no longer apply. For example, this law would no longer affect health care providers in Massachusetts -- the HIPAA and HITECH acts would. The only organizations that 93H would now apply to are those to whom no federal law applies. "Another major revision is the reversal of provisions that would dictate specific technical tools or methods like encryption," Cortes said. "The revised law would steer clear of any such specific requirements. Small firms will find relief in the third change, which requires separate standards for them."

Under 201 CMR 17, encryption of the personally identifiable information (PII) of Massachusetts residents was required whether it was at rest, in transit or stored on a laptop or other mobile device. Under SB 173, encryption requirements are no longer specifically required. Section 1, Subdivision A has a new sentence: "The department shall not in its regulations, however, require covered persons to use a specific technology or technologies, or a specific method or methods for protecting personal information."

Cortes explained, "If you're a large enterprise and don't take 'reasonable methods' to protect the PII of residents, you're liable."

The removal of specific requirements for encryption from the statute is what would affect small businesses the most. "SMBs, prior to the revision, were subject to the same standard under 93H as anyone else," Cortes said. "That was true for one-person businesses all the way up to huge enterprises like Fidelity. Now the statute specifically says that the legislature must develop a separate standard for SMBs and that they will not be subject to the law in the same way."

As a major technology state, we need to get this right. The current regulations exceeded the intent of the legislature and are very problematic for the reasons outlined. Anne Doherty Johnson executive director, TechAmerica New England

Bradley A. MacDougall, associate vice president of government affairs for Associated Industries of Massachusetts (AIM), also testified at the hearing. AIM is a nonprofit, nonpartisan association of Massachusetts' employers, with more than 6,500 members that amongst them employ nearly one out of every five workers in Massachusetts. In his testimony, MacDougall said:

"Data protection is a top priority for Associated Industries of Massachusetts and our members, who will continue to pursue the development of reasonable data privacy regulations in Massachusetts. The delay in the general effective date of May 1, 2009, to Jan. 1, 2010, does not resolve the substantive issues within the current rules that impose high costs and prescribe specific technology solutions. Massachusetts cannot afford additional unreasonable regulations on employers working to protect jobs and prevent layoffs while competing in a global economy. Senate Bill 173 would provide a necessary solution in the absence of regulatory rule changes. The legislation would ensure that clear guidelines for the development of identity theft regulations be utilized to provide consistency for those entities already regulated under federal law and further provide businesses with greater flexibility to strategically invest their limited operational and IT resources."

Speaking as an information security professional, Cortes noted that 201 CMR "was kind of doomed. It was too far-reaching to begin with. The revision retreats from what was probably never a workable standard to begin with. Dictating the technology was a way of guaranteeing the obsolescence of the statute."

Cortes said she believes that "it's likely that encryption will be required under any interpretation of MGL 93H's original language, which SB 173 preserves, that personal information must be protected 'in a manner fully consistent with industry standards.'" In coming years, encryption may be required under a revised version of a federal data protection law similar to the one introduced by U.S. Sen. Dianne Feinstein in 2003. Cortes and other security professionals recommend that small organizations and enterprises encrypt now to meet inevitable compliance requirements.

Tags: Managing governance and compliance,  Regulatory compliance reporting,  Industry-specific requirements for compliance,  HIPAA and other healthcare compliance requirements,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Managing governance and compliance Priorities for your sound regulatory compliance management policy Threat management for information systems relies on categorization HITECH FAQ: What is the impact of the HITECH Act on IT operations? Survey shows privacy policy success lies in collaboration with IT Record locator service a step to health information exchange U.S. CIO Vivek Kundra on Data.gov, OpenID and government transparency Nonprofits are working to maintain donor trust with PCI compliance Mass. data protection law requirements amended, deadline extended Security and privacy top IT agenda for Massachusetts CIO The Web of social media and compliance: Online privacy regulations Regulatory compliance reporting FAQ: What is the impact of a compliance audit on IT operations? FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing New evaluation criteria for Web application security scanners New HIPAA data breach notification rules put health industry on notice Energy efficiency, carbon driving sustainable business development Top regulatory compliance trends that will affect IT in 2009 Anatomy of a hyperproductive compliance management team Startup helps turn carbon footprint management into cost savings Chapter excerpt: The Three Core Disciplines of IT Risk Management Industry-specific requirements for compliance FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing McCain answers new FCC net neutrality rules with Internet Freedom Act SAP sees green in sustainability software for carbon compliance Electronic privacy integral to identity management standards, says DHS GPS devices, geolocation data create privacy, security risks Threat management for information systems relies on categorization Data breach notification law SB 20 strikes right balance: Simitian HITECH moves electronic health records forward; standards to come HITECH FAQ: What is the impact of the HITECH Act on IT operations?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary IT controls  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary