The recent extension of the Massachusetts data protection law, 201 CMR 17.00, to Jan. 1 due to concerns over the costs of preparation and implementation may still not give businesses enough time to become compliant with the new law.
In fact, many had already better be in compliance with existing data protection laws or getting in line with 201 CMR 17.00 will be even more difficult.
The new Massachusetts law requires any person or business that acquires or stores personal information about a resident of the commonwealth of Massachusetts to "develop, implement, maintain and monitor a comprehensive" security program "applicable to any records containing such personal information."
Two separate panels met in the Boston area last week to shed light on the requirements and potential liability of those statutes, as well as discuss the impact of the Massachusetts law, which some experts consider one of the toughest in the nation.
Massachusetts businesses should already be prepared for some level of data security if they have recognized existing laws, said Christine Santariga, an attorney in the Boston office of Ropes & Gray LLP, at a session held at the Boston Marriott Copley. For instance, 201 CMR 17.00 was adopted under Massachusetts Security Breach Law M.G.L. c. 93H, compliance with which is mandatory for any entity that handles the personal information of Massachusetts residents.
Another existing state consumer protection statute, M.G.L. c. 93A, contains provisions that bar "unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce." Sanctions for noncompliance with M.G.L. 93A and penalties of up to $5,000 per violation will be part of liability hearings when the new data protection law goes into effect.
Separate penalties also pertain to IT operations under a related statue specifically governing the disposal of records that contain personally identifiable information, M.G.L. c. 93I, which requires shredding or otherwise destroying documents or data that contain PII.
Compliance 'checklist' is no substitute
The other panel last week, hosted by the Cambridge Chamber of Commerce, featured Gerry Young, CIO of the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR); David Murray, general counsel of OCABR; Timothy Mahoney from law firm Abrams Little-Gill Loberfeld PC; and Dean Gabbert of CMIT Solutions.
Murray noted that the Massachusetts OCABR has received 516 data breach notifications in the past 16 months, affecting more than 800,000 residents. Nationwide, Murray said, "10 million Americans suffer identity theft annually. The cost to consumers is $55 billion. And the estimated cost of a data breach is measured at $200 for each stolen customer record."
Murray presented a compliance checklist, available from the OCABR, that offers specific guidance on the creation of the written information security plan mandated by the data protection law. As noted on the document, however, the checklist "is not a substitute for compliance with 201 CMR 17.00. Rather, it is an aid to be adapted to the particular circumstances of a particular small business or individual that handles 'personal information,' and that is trying to come up with a conforming plan."
Despite the specificity of certain parts of the law, some of the language of how to enforce it is vague: What is a "reasonable" response to a data breach, or a "reasonable" approach to security preparation? Murray said the protection law requires physical and electronic access to resident PII to be blocked "as soon as the admin learns" of a change in employment status. Second, liability is always driven by context. What's reasonable may vary by resources, as a judge will have to assess the responsibility of each party after a data breach.
At the Copley panel, Santariga briefed the audience on the legal history and reach of the regulation. Historically, data protection laws have been industry-specific, she said, with federal regulations like HIPAA, the Fair Credit Reporting Act, Gramm-Leach-Bliley Act (GLBA) and the Children's Online Privacy Protection Act and frameworks like the Payment Card Industry Data Security Standard.
At the state level, Santariga said there have been a variety of "Little FTC Acts" that have addressed consumer protection. Data breaches have come under regulatory control under laws like California's Database Security Breach Notification Act, which requires an organization to notify California residents if it believes that a breach of personal information -- including medical or health insurance data -- has occurred. Other state information security requirements that address PII like Social Security numbers and credit card numbers, proper document disposal and "reasonable security" have also been passed in some states. The concepts contained in the Massachusetts data protection law aren't novel, in Santariga's assessment. Some precedents lay in the GLBA's Safeguards Rule, Federal Trade Commission Consent Orders, aspects of the Health Insurance Portability and Accountability Act (HIPAA) and Oregon law.
Echoing Murray, Santariga said the context of security breaches would serve as the basis for both liability and penalties. Separate penalties would pertain under disposal of records and breach notification statutes.
Following Santariga's briefing, executives from Peritus Security Partners LLC, Utimaco Software AG and Sophos PLC provided recommendations for effective compliance and preparation, along with descriptions of their firms' governance and risk management software. Kurt Baumgarten, principal at Peritus Security, noted during his presentation that the ISO 27001 framework was used as the foundation for the new Massachusetts data protection law. Baumgarten, in fact, suggested to the audience that "using the ISO 27001 best practices framework for your own written information security plan (WISP) development will allow you to be more consistent with the expectations of the state."
Toughest law in the world?
The Massachusetts data protection law is different from other U.S. regulations due to the specificity of administrative, technical and physical policies and controls defined therein.
OCABR's Young said, "201 CMR 17.00 currently is the most comprehensive and toughest regulation in the US."
You must have Adobe Flash Player 7 or above to view this content.See https://www.adobe.com/products/flashplayer to download now.
Download for later:
David Murrary, General Counsel MA OCABR and Gerry Young, CIO, discuss 201 CMR 17.00.
• Internet Explorer: Right Click > Save Target As
• Firefox: Right Click > Save Link As
The regulation is not, however, the toughest in the world, said Doug Cornelius, chief compliance officer at Beacon Capital Partners LLC, a Boston-based private equity real estate company. Cornelius noted that "[European Union] data privacy requirements cover a broader set of information" and that under the European statute, "the consumer owns her data."
Analyst Vivian Tero, program manager for IDC's compliance infrastructure service, echoes this position. Tero stated that the Massachusetts law "definitely has more teeth and is also more prescriptive, but German laws are most stringent. It's a human rights issue," she said.
In an email interview, Rebecca Herold, editor of Realtime-ITCompliance.com, went further, noting that "the definition of personal information is not as comprehensive or broad as other laws. The description of an information security program, in many ways, is not as detailed as other laws. It does not mention disaster recovery or business planning." As far as being the toughest around for implementation, Herold also disagreed, stating that "the requirements consist of basic and prudent information security practices."
Given the scope of requirements in the legislation, security expert Ed Moyle recommends that enterprises and individuals encrypt now to be in compliance with the law when it does go live.
Let us know what you think about the story; email firstname.lastname@example.org.