Several trade associations and companies have also blasted the bill as being overly prescriptive, intrusive and costly to implement. Last January, a coalition of 70 organizations, including the Retailers Association of Massachusetts, the Massachusetts Bankers Association, the Greater Boston Chamber of Commerce and companies including Wal-Mart, Microsoft, Target and Google sent a letter to the OCABR demanding a "rigorous shareholder analysis" of the bill. The letter listed six areas of concern, including the mandatory encryption and data inventorying provisions.
Mobile devices still a concern
Boston attorney Deborah Birnbach, who has been advising clients on the regulations, said today that many companies appear to have put considerable effort into getting ready for the new provisions.
One remaining area of concern pertains to the encryption requirement for mobile devices. Many companies are struggling to figure out how to efficiently encrypt protected data that's stored on mobile devices, such as Blackberries and other smartphones, she said. Some companies are also struggling to ensure that personal data stored on back-up storage media is encrypted, she said.
The regulations give the Massachusetts Attorney General's office enforcement authority for the bill.It remains unclear what might provoke an enforcement action by the AG's office or what such enforcement might entail, Birnbach said. The most likely scenario is that the AG's office will use its authority to investigate data breaches to see if a breached entity was compliant with the requirements of the statute, she said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is firstname.lastname@example.org.