Undersecretary Barbara Anthony, of the Massachusetts Office of Consumer Affairs and Business Regulation, announced today revisions to Massachusetts’ data security regulations, as well as an extension of the applicable compliance deadline from January 1, 2010 to March 1, 2010. (Previous to an earlier extension, the compliance deadline was May 1, 2009.)
The revised regulations emphasize their “risk-based” approach, enabling persons covered by the regulations to tailor their information security programs to their size, scope, type of business, resources, amount of personal information, and need. These changes were primarily intended to ease the burden of the regulations on small businesses that may not handle a significant amount of personal information, or may not have the resources to develop a sophisticated security program. That said, the changes apply to all business, not just small businesses.
This shift indicates that Undersecretary Anthony, only a few months into her new position, has listened to widespread criticism of the regulations, particularly from small business leaders, and understands their potential impact.
Importantly, the revised regulations add a “to the extent technically feasible” qualifier to all of the regulations’ computer system security requirements, meaning that encryption of personal information in transit and stored on portable devices is only required to the extent “technically feasible.” Although “technically feasible” is not defined in the regulations themselves, a definition is provided in the Frequently Asked Questions (FAQ) that accompanied the regulations. In addition, the regulations are technology neutral; in particular, “encryption” now includes any transformation of data into a form in which meaning cannot be assigned “without the use of a confidential process or key.” (Some will surely argue that this new definition of “encryption” does not necessarily require encryption at all; however, the FAQ suggests that the removal of references to specific technology from the definition was intended to allow for future encryption technologies, not necessarily earlier or less secure technologies.)
Another important change regards the required oversight of service providers. The revised regulations still require that service providers be bound to comply with the regulations’ standards, but only future service provider agreements must include such a requirement.
Additionally, the new regulations make other changes – such as deleting some of the prior regulations’ more specific requirements.
As noted by Undersecretary Anthony, “these updated regulations feature a fair balance between consumer protections and business realities.”
A press release by The Associated Industries of Massachusetts (AIM) specifically expresses AIM’s appreciation for the cooperation of Secretary Barbara Anthony and the assistance of Attorney General Martha Coakley, Representative Michael Rodrigues and Senator Michaela Morrissey over the course of the last several months to develop revised regulations that answer the concerns of the business community.
Public hearings on the revised regulations will be held on September 22, 2009.
This post was contributed to by Amy Crafts, a senior Associate in Proskauer’s Boston office and a member of Proskauer’s Privacy and Data Security Practice Group.