For those of you stressing over the changes to personal information policies and procedures required by the pending Massachusetts data security regulations, you can breathe a sigh of relief... sort of. The deadline for implementing the new policies has been pushed back - for the third time. Now the new regulations will take effect on March 1, 2010 (rather than in January), and some of the more controversial aspects of the law have been watered down to make the requirements more palatable to small businesses. If you are a business owner who is not aware of the upcoming changes, you need to take a look. The far-reaching regulations are a response by lawmakers to the highly-publicized security breaches at TJX, The Boston Globe, and others where thousands of social security numbers, credit card numbers, and other personal information were carelessly unsecured. As described by Mass High Tech:
The Massachusetts regulations, first promulgated last fall based on a legislative directive, will go further than any other state by requiring any company that handles state residents’ sensitive data to take measures to protect it. Measures include encryption and extend to ensuring that all third-party IT service providers adequately protect sensitive data — a clause that drew criticism from business owners as an onerous requirement.
Specifically, the revisions to the data security regulations moderate the specific requirements to make them more consistent with the federal privacy requirements under the Gramm-Leach-Bliley Act. The new Massachusetts privacy regulations apply to any business - yes, even outside of Massachusetts - engaged in commerce that collects and retains personal information of Massachusetts residents in connection with the provision of goods and services. While these regulations will apply to all businesses regardless of size, the new revisions make clear that the regulations will apply a risk-based approach based on the size and scope of each business. (i.e., smaller businesses storing small amounts of information will be required to take different actions than would a large company with much more information and resources).
So, what does this mean for you?
If you are a business owner who collects the first name or initial and last name of a Massachusetts resident in combination with that resident's (a) Social Security number, (b) drivers license or state issued identification card number, or (c) financial account number or credit or debit card number, you must comply with the new regulations by March, 2010. That includes, at a minimum:
- creating a comprehensive information security program for safeguarding against "reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity" of the personal information, including employee training and education;
- encrypting all data and files containing the personal information to the extent "technically feasible" and maintaining "reasonably up-to-date" firewall protection and operating system security patches; and
- taking "reasonable steps" to select and retain third-party service providers that are capable of maintaining appropriate security measures consistent with these regulations and any applicable federal regulations.
The steps that were originally included as required actions are now offered as guidance to comply with the regulations, but whether a company is ultimately in compliance will be determined on a case-by-case basis. In any event, all businesses should take a look at their data security procedures to make sure they are up to date.
Are you concerned about how the new regulations will affect you? What do you see as the biggest challenges to comply?