Data Compliance: Massachusetts Law Has National Implications (If It Ever Gets Finished)

Massachusetts' decision to revise its exceptionally tough new data privacy law (which will exert effects far beyond the Commonwealth's borders) has a lot of businesses (not to mention their lawyers and compliance advisers) wondering just what to do and when. How do you know what to comply with, and what to finesse? How far do you go in complying with a law that may be changed in the next few months?The buzz over the past few days regarding the ongoing revisions to Massachusetts' new data protection and privacy regulations has centered around what direction revisions in the law may take. At this point, it's anybody's guess, but with the law on the books at least there's a starting point.

The law, 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth, establishes minimum standards for data protection, which pretty much requires that:

Businesses encrypt everything relating to records containing information about citizens of the Commonwealth

Businesses designate a specific person responsible for compliance

Businesses establish and enforce written security policies

... all of which is tough, but it gets tougher, as in: "Moreover, the safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns, licenses, stores or maintains such information may be regulated."

Nor have the regulators overlooked the tricky relationship between your customers' information and what happens when that information gets shared/used by outside vendors/partners, mandating that businesses take "reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information.."

The announcement that there would be revisions to the rules, without specifying what those revisions would be (they're due around the first of May) further complicates an already complicated situation.

A situation even further complicated by factors including a) the regulations are aimed at protecting information related to citizens of Massachusetts, which means, as I read it, that if you have a customer/vendor/associate residing in Massachusetts, you're subject to the regulations, and b) adherence to the Massachusetts regs must be "must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns, licenses, stores or maintains such information may be regulated."

When it comes to data protection, are we all citizens of Massachusetts now (and the other 49 states as well)?

Could be. Take a look at this map showing state-by-state data breach notification laws.

While most states follow California's lead and require beach notification in an expedient manner, some have gotten far more specific, as with Florida's requirement that notification be made within 45 days.

This patchwork of laws, rules, acts, regulations is likely only to get patchier. Add the gathering movement to collect state taxes on Internet sales (Florida is looking at a Net purchases tax, for example) and the additional levels of records-keeping (and required records-encryption) and you have a situation where what little time you have left after ensuring that you've met the data protection and encryption and policy regs for every state you do business in will be spent filing (encrypted, of course, as Ben Tomkins pointed out here yesterday)state (and ultimately county and local, no doubt) taxes on your sales.

There are some good things about the Massachusetts rules, not least of which is the insistence upon a written security policy, with clearly defined enforcement and disciplinary actions in the event of violations.

Nice, too, if awfully ambiguous, that the regulations mandates "Education and training of employees on the proper use of the computer security system and the importance of personal information security."

But right above that one, is an example of why these sorts of laws drive so many people crazy:

"For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

"Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis."

Reasonably up-to-date? How about constantly or perpetually or always?

Maybe that's the sort of language that will be adjusted and made more specific in the revisions, when the revisions are made more specific.

Until then, what to do?

The best you can, I guess. None of us wants a data breach, and all of us are aware of areas in which we can tighten up and focus in on potential vulnerabilities, sloppinness, areas where things are a little (or a lot) lax when it comes to data protection, data encryption, data access, while keeping a careful eye on your state (and all the others, it seems) require of you.