Mass. data protection regulation passes big test in public hearing

By Scot Petersen, Executive Editor 22 Sep 2009 | SearchCompliance.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

More on the Massachusetts data protection law 201 CMR 17 FAQ: Updates to Massachusetts data protection law Mass. data protection law requirements amended, deadline extended No easy answers for complying with data protection regulations E-book: The Massachusetts Data Protection Law

After more than a year of business pressure to amend the Massachusetts data protection regulation (201 CMR 17.00), including delays and backtracking on the provisions of the regulation, the latest version is now receiving qualified support from the groups that vigorously opposed it.

The Office of Consumer Affairs and Business Regulation (OCABR) issued revised regulations last month. OCABR Undersecretary Barbara Anthony presided over a public hearing today to hear feedback on the latest amendments to the regulations.

"If it's not the ultimate version, then it's the penultimate one," said Robert Kramer, vice president for public policy at computer industry trade association CompTIA. Kramer had previously testified against the regulations.

In his testimony today, Kramer said, "the latest 201 CMR 17.00 regulations are a significant improvement over previous drafts." Kramer's group is still looking for greater clarity on what is meant by "reasonable steps" in Section 17.03 (f)(1) of the regulation, however, which covers the acquisition of services from service providers and the relationship of providers to data owners and data.

The request of CompTIA is that Section 17.03 (f)(1) be modified to require industry accreditations or "trustmarks" for service providers retained to manage, maintain or secure personally identifiable information (PII). Such trustmarks "would provide small businesses with an excellent method of practical guidance in the selection of third-party service providers," Kramer said in his testimony.

Other testimony focused on the same section. "We do not own PII," said Jacob Braun, president and chief operating officer of Waka Digital Media Corp., a service provider in Amherst, Mass. "We maintain it for our clients. They own it." Braun said he would like to further clarify the service provider provision to enable data owners and service providers to measure their own liability and exposure to the statute.

In response to the testimony regarding the language of Section 17.03 (f)(1) and (2) on service providers, Anthony pointed out that the language in the Massachusetts regulation was taken "verbatim" from the Federal Trade Commission Safeguards Rule for customer information. "We stole it," she quipped.

[Industry accreditations or "trustmarks"] would provide small businesses with an excellent method of practical guidance in the selection of third party service providers. Robert Kramer vice president for public policy, CompTIA

The bottom line, however, is that long-standing major objections -- over the costs of encryption requirements and the difficulties of implementation for small businesses -- have been satisfied in this version.

The Investment Company Institute, which strongly opposed the regulation in early versions, now praises the regulation's "better flexibility and greater consistency." The risk-based framework leaves small businesses better able to comply with the regulation by building a security system within budget and correlated to the amount of PII in their possession, testified Tamara Salmon, senior associate counsel for ICI.

Other groups, including the TechAmerica New England trade association and the Retailers Association of Massachusetts, also showed support for the amended regulations. "The approach makes sense for business while protecting consumer data, and by being technology neutral," said Anne Doherty Johnson, executive director of TechAmerica New England.

In its original form, 201 CMR 17.00 was hailed by state officials as the toughest in the nation, specifying a proactive approach and mandating encryption technologies. The regulation, however, made little provision for the size of a business or the amount of personal information in its possession. Business leaders reacted loudly and swiftly, until the latest risk-based approach was crafted.

Under the amendments, the revised regulations are set to go into effect March 1, which is the third enforcement date set this year. The original May 1, 2009, deadline was moved to Jan. 1. Given the widespread support demonstrated at the public hearing today, business owners should be moving quickly toward compliance now, as further extensions look increasingly unlikely.

Tags: Industry-specific requirements for compliance,  Encryption software solutions,  Risk management and compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Industry-specific requirements for compliance Poor application security creates supply chain risk, security threat Business Model for Information Security: Security right the first time Enterprise document management FAQ: IT operations and compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more NERC CSO warns of cybersecurity threats, risk to electric grid FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing McCain answers new FCC net neutrality rules with Internet Freedom Act SAP sees green in sustainability software for carbon compliance Encryption software solutions Data breach notification law SB 20 strikes right balance: Simitian D.C. CTO sees compliance, cost savings benefits to cloud computing Does using ISO 27000 to comply with PCI DSS make for better security? PCI DSS FAQ: The Payment Card Industry Data Security Standard and IT Run encryption the right way to ensure wireless network security What's the Massachusetts data protection law and what does it require? State data protection laws offer opportunity for proactive companies Implementing compliance with the Massachusetts data protection act Nevada toughens data protection law with crypto, PCI requirements HIPAA becoming a standard for data protection regulations Risk management and compliance Facing uncertainty, IT turns to governance, risk and compliance, ERM FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing GPS devices, geolocation data create privacy, security risks Threat management for information systems relies on categorization Does using ISO 27000 to comply with PCI DSS make for better security? FTC pursuing HIPAA violations as a matter of consumer protection Are mandatory business continuity management standards good business? PCI DSS compliance requires better management of vendor risk PCI DSS compliance requires new vendor management strategy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI compliance  (SearchCompliance.com) XBRL  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary