After years of extensions, on March 1, organizations that possess the personally identifiable information of Massachusetts residents will have to be in compliance with 201 CMR 17.00. Here's a quick look at the long and winding road that the Massachusetts data protection law has traveled:
Originally set for May 2009 and then pushed to January, the deadline for compliance with the nation's most comprehensive data protection law was extended in August for the final time. The change came after the Office of Consumer Affairs and Business Regulation amended the data protection law requirements due to widespread concern in the business community.
"The federal laws, specifically Gramm-Breach Bliley, all adopt a risk-based approach," said Barbara Anthony, Massachusetts undersecretary of consumer affairs, in an interview with SearchCompliance.com. "In amending the regulation, we tried to make clear that these rules would also adopt a risk-based approach. Businesses should write their own plan that takes into account the risk specific to the business. We're setting up a destination, not an approach."
Implementation requirements now specifically take into account a particular business's size, scope, available resources, need for information security and the nature and quantity of data collected or stored.
In September, the data breach regulation passed a big test in a public hearing. Feedback was positive, with Robert Kramer, vice president for public policy at computer industry trade association CompTIA, declaring, "If it's not the ultimate version, then it's the penultimate one."
Below, find resources with information that compliance officers need to know about the regulation and what they'll need to do to stay clear of penalties.
MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation
The official charged with enforcing the MA 201 CMR 17.00 data protection law says early reporting of potential breaches and cooperation will help firms avoid enforcement action. Even with a broad range of technologies and best practices in place, companies must promptly own up to any potential breach to avoid facing enforcement actions. Scott D. Schafer, chief of the consumer protection division for Massachusetts Office of the Attorney General, said the attorney general will be less likely to bring enforcement action against organizations that cooperate quickly and fully following a breach, prove that a breach was inadvertent and demonstrate ongoing adherence with industry best practices for data protection.
Interpreting 'risk' in the Massachusetts data protection law
One of the key practical issues is how to interpret the regulation's "risk-based" language, and how to apply it to an organization's particular set of circumstances. This is ultimately a legal question, making it extremely important for a company's security team to engage its legal team when developing a compliance plan. Without legal training, it will be difficult for security professionals to know how the courts, regulators and potential plaintiff's attorneys will interpret and apply the regulation. David Navetta looks at key risk-based aspects of the regulation that your compliance and legal teams will need to be prepared for.
Implementing compliance with the Massachusetts data protection act
Expert Richard Mackey explains how to implement compliance with the Massachusetts data protection act.
State data protection laws offer opportunity for proactive companies
Many analysts believe the commonwealth's decision to make firms take a proactive, policy- and procedure-based approach to data protection is the wave of the future, likening 201 CMR 17.00 to California's groundbreaking data breach notification law passed in 2003. First, they say, do a security assessment to identify risks because the next step -- creating the written information security program -- is a big project.