As business owners are preparing for the new Massachusetts data protection law, also known as 201 CMR 17: Standards for The Protection of Personal Information of Residents of the Commonwealth, due next year, a potential quagmire is building.
Speaking at the TechTarget Compliance Decisions Summit March 12, Laurence Anker, engagement manager, technology risk management for Jefferson Wells International, said the coming influx of state privacy laws will create “a mess.”
Only about half of the states have laws governing personally identifiable information, but several more, including Massachusetts, are crafting tough laws that will put new burdens on businesses, especially SMBs, and businesses outside of the state that employ Massachusetts residents.
These laws will cover areas such as secure storage of data, encryption of data and access controls, as well as require businesses to create written, comprehensive security and privacy policies for personal data.
Such tasks are formidable, but not impossible, but multiply the Massachusetts law by 50 and it’s easy to see how difficult it will become for some businesses to make sure they are in compliance with every state’s privacy law.
Or, Anker said, there could be a day when state privacy regulators will join an organization similar to the National Association of Insurance Commissioners, which will seek to normalize the state privacy laws and help the states enforce them.