February 11, 2010, 8:08 PM — After more than a year of delay and several modifications, a contentious Massachusetts data protection regulation appears set to go into effect March 1.
The law is aimed at getting companies to better protect consumer data. It affects all businesses that store personal information on Massachusetts residents, regardless of where the companies might be based.
The rules require PDF format businesses to encrypt sensitive personal information on Massachusetts residents that is stored on portable devices such as PDAs, memory sticks, DVDs, laptops, and storage media. Any personal information that is transmitted over a public or wireless network will also need to be encrypted.
Companies are required to take reasonable measures to control end-user access to sensitive data and to protect authentication information that can be used to gain access to the information. Businesses will also need to limit the amount of personal data they collect and must maintain an inventory of the information, monitor its usage and have a formal security plan for protecting the data. The rules were crafted by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) and were originally supposed to go into effect Jan. 1, 2009. The deadline was extended twice as a result of considerable push-back from businesses covered under the law. The first extension pushed the deadline back to last May, while the second one pushed it to March 1.
One of the biggest concerns had to do with a provision -- that has since been modified -- requiring businesses to ensure that all third parties with access to personal information are also compliant with the Massachusetts law. The provision would have required companies to rewrite their vendor contracts and to take steps to ensure their service providers were compliant with the Massachusetts regulations.
As it stands, businesses only have to take "reasonable steps" to verify that their third-party service providers have the ability to protect personal information via measures that are comparable to those prescribed by the OCABR. Companies have until March 2012 to include language in their third-party contracts obligating their vendors to employ reasonable measures for protecting personal information.