The Massachusetts data-privacy regulation that went into effect Jan. 1st is now undergoing revisions that are expected to go into effect May 1st, according to the state agency in charge of issuing the rules.
“We’re in the process of the final regulations,” David Murray, general counsel in the Office of Consumer Affairs and Business Regulation, said today, noting that the current regulation, “201 CMR 17.00 Standards for the Protection of Personal Information of Residents of the Commonwealth” is still technically in effect.But the state government, whose legislature late last year passed a law requiring the agency to define the data-protection statute, last month received “a large number of written comments” about 201 CMR 17.00, says Murray. In reviewing those comments, there are going to make some changes intended to craft “the final filing” on this regulation. He did not specify what those changes might be.
The written comments the agency received about 201 CMR 17.00 are expected to be made publically available shortly.
201 CMR 17.00 sets requirements for security policies for storing and handling personal-information data in both paper and electronic form related to the full name of a Massachusetts resident in combination with elements that include a Social Security Number, financial-account number, driver’s license, credit or debit card number.
It contains no specific penalties for non-compliance with the law, but could open the door to lawsuits or legal actions by the state’s attorney general.
Like the well-known California Senate Bill 1386 which a few years ago began to impact businesses well beyond California because it requires public notification in any data breach impacting information about California residents, the Massachusetts 201 CMR 17.00 regulation is getting a lot of attention outside of the state because it sets lengthy security process and technical guidelines for handling of personally-identifiable data of Massachusetts citizens.
The Massachusetts law includes a set of “Computer System Security Requirements” defining mandated authentication, access control and encryption of records and files containing personal information.
Specifically, the regulation requires “to the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly,” and “encryption of all personal information stored on laptops or other portable devices.”
In some respects, it may be the toughest state law on the books today as regards encryption, though the regulation’s final form is still emerging.
Many businesses today are considering how to meet the requirements of the Massachusetts data-privacy law, and there is considerable anxiety about it, says Mark Steinhoff, principal and in the security and privacy practice at Deloitte Touche Tohmatsu.
This law would appear to require encryption of laptops, he notes, but what about other types of devices, such as MP3 players, for which encryption software might not be commercially available, but technically fall under the regulation, Steinhoff asks.
Avivah Litan, Gartner analyst, says her clients, in discussing the extant Massachusetts data-privacy law, have said they feel the “most onerous requirements are the business process requirements, such as establishing risk-management practices and employee training programs.”
But she adds that the regulation’s technical requirements are in general “very straightforward” and “security officers will use it as a long-awaited justification for more IT budget and resources.”