OMEN
02-23-2009, 04:09 PM
New regulations on storing personal data have businesses up in arms — and not just in Massachusetts. But the state keeps delaying its compliance deadline.
Massachusetts officials this month gave companies a second reprieve on complying with new regulations aimed at any entity that stores the personal data of state residents. They also softened a particularly contentious provision requiring businesses to ensure that third parties handling such data are in compliance with the rules.
But the state left intact other parts of the regulations that have sparked criticism from the business community both inside and outside of Massachusetts. And even with the extension of the compliance deadline from May 1 to the start of next year, meeting the requirements could be a challenge for some companies.
Massachusetts isn't the only state imposing security regulations on businesses. Last fall, Nevada put into effect a rule requiring personal data to be encrypted if it's transmitted outside of a company's network. And New Jersey is phasing in a set of data security mandates over a two-year period.
But the regulations announced last September by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) specify a long list of steps for protecting personal data and require companies to create wide-ranging internal security programs and policies. Also, the OCABR defines personal data more stringently: as an individual's name along with his Social Security or driver's license number, or with a financial account number. In Nevada, bank and credit card numbers must also be accompanied by a PIN or password to meet the state's definition of personal data.
In addition, the OCABR's rules were written to apply to all organizations that handle the data of Massachusetts residents, whether the businesses are based in the state or not. And the regulations are expected to spawn a host of me-too measures in other states.
Mandated in Massachusetts
The state's security regulations will require companies to:
* Encrypt personal data that is stored on portable devices or being transmitted on public networks or via wireless connections.
* Deploy secure user-authentication and access-control measures, and conduct "reasonable" monitoring of systems in an effort to spot unauthorized activities.
* Install firewalls, operating system patches and client-level security tools that are "reasonably up to date" on all systems.
* Develop a comprehensive data-security program that sets internal policies and specifies disciplinary measures for employees who violate them.
* Inventory all electronic and paper records to identify the ones that contain personal data.
From an implementation standpoint, the rules set by Massachusetts are "the most stringent data security regulations in the U.S," said the chief privacy officer at a large bank that has numerous branches in the state.
Because of the wide range of mandated actions, finding enough "time and capacity to implement this in a meaningful way" will be a big hurdle, said the CPO, who requested anonymity. "Pushing an unreasonable timeline to businesses will force many to duct-tape together a [security] program that appears to meet the requirements but offers little real protection," he warned.
Last month, a coalition of 70 organizations — including the Retailers Association of Massachusetts, the Massachusetts Bankers Association, the Greater Boston Chamber of Commerce and companies such as Wal-Mart, Target, Microsoft and Google — submitted a petition to the OCABR asking for a "rigorous stakeholder analysis" of the regulations.
The petition questioned the third-party data-handling rules and the need for mandatory encryption, data inventories and limits on the information that companies collect. It also described the May 1 compliance deadline as "overly aggressive" and called for a phased approach like New Jersey's.
"A vast majority of companies in Massachusetts and around the country know nothing about this regulation," said Jon Hurst, president of the Retailers Association of Massachusetts.
Hurst said the Boston-based trade group isn't opposed to the idea of improving data security. But he questioned the wisdom of requiring companies to adopt costly new security measures at a time when many are struggling "just to make payroll" because of the economic recession.
The OCABR didn't respond to requests for comment about the revision of the rules and the extension of the compliance window — the second one granted in the past three months by the agency, which originally wanted companies to comply by the start of this year.
However, in a statement included in the Feb. 12 announcement of the changes, Daniel Crane, the agency's undersecretary, tacitly acknowledged that even the May deadline was too soon for some companies.
"These new safeguards are fundamental standards that will keep information safer and will help businesses reinforce a vital sense of trust with customers," Crane said. But, he added, "it's worth making sure every business in the state has time to make the necessary changes to comply with these regulations." Crane also said that state officials "understand the impact of the current business environment" on companies.
The regulations initially mandated that companies get third-party service providers with access to personal data to certify that they were compliant with the rules. Under the revised version, businesses only have to take "all reasonable steps" to ensure that third parties are applying controls comparable to the ones spelled out by the OCABR.
Deborah Birnbach, an attorney at Boston-based Goodwin Procter LLP, said the third-party provision was a "very impractical and intrusive" mandate that would have required companies to rewrite their contracts with outside providers. That would have been onerous, according to Birnbach — especially for large businesses that deal with many third parties. "Our clients have been somewhat up in arms," she said.
But not everyone has a dire view of the new rules. Chris Cahalin, director of network operations at Papa Gino's Inc., said the Dedham, Mass.-based restaurant chain was on track to meet the requirements before the latest extension of the compliance deadline.
One of the keys to achieving compliance is to make sure that senior executives are aware of the regulations, Cahalin said. "Once you get management involved at that level, it makes it easier to go along. Then you can go on to educating users" — while also seeking their help in determining where personal data exists in systems, he said.
A large Massachusetts-based retailer was also on track to comply with the new rules by May, according to a network administrator there who asked not to be identified. The admin noted that the retailer already meets many of the encryption requirements as a result of its compliance with the Payment Card Industry Data Security Standard, a set of mandates imposed on merchants by the major credit card companies.
The only new thing the retailer is doing because of the regulations, he added, is installing a file-transfer process management system from Ipswitch Inc. to ensure that data moving across its internal network is fully encrypted. The tool "basically uses encryption as part of the transport mechanism," the network admin said.
But the bank CPO said that in many ways, the Massachusetts rules are more prescriptive than the security and privacy provisions of the federal Gramm-Leach-Bliley Act are. And, he added, it took many years for the bank to become fully compliant with that law after it was approved in 1999.
Compworld
Massachusetts officials this month gave companies a second reprieve on complying with new regulations aimed at any entity that stores the personal data of state residents. They also softened a particularly contentious provision requiring businesses to ensure that third parties handling such data are in compliance with the rules.
But the state left intact other parts of the regulations that have sparked criticism from the business community both inside and outside of Massachusetts. And even with the extension of the compliance deadline from May 1 to the start of next year, meeting the requirements could be a challenge for some companies.
Massachusetts isn't the only state imposing security regulations on businesses. Last fall, Nevada put into effect a rule requiring personal data to be encrypted if it's transmitted outside of a company's network. And New Jersey is phasing in a set of data security mandates over a two-year period.
But the regulations announced last September by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) specify a long list of steps for protecting personal data and require companies to create wide-ranging internal security programs and policies. Also, the OCABR defines personal data more stringently: as an individual's name along with his Social Security or driver's license number, or with a financial account number. In Nevada, bank and credit card numbers must also be accompanied by a PIN or password to meet the state's definition of personal data.
In addition, the OCABR's rules were written to apply to all organizations that handle the data of Massachusetts residents, whether the businesses are based in the state or not. And the regulations are expected to spawn a host of me-too measures in other states.
Mandated in Massachusetts
The state's security regulations will require companies to:
* Encrypt personal data that is stored on portable devices or being transmitted on public networks or via wireless connections.
* Deploy secure user-authentication and access-control measures, and conduct "reasonable" monitoring of systems in an effort to spot unauthorized activities.
* Install firewalls, operating system patches and client-level security tools that are "reasonably up to date" on all systems.
* Develop a comprehensive data-security program that sets internal policies and specifies disciplinary measures for employees who violate them.
* Inventory all electronic and paper records to identify the ones that contain personal data.
From an implementation standpoint, the rules set by Massachusetts are "the most stringent data security regulations in the U.S," said the chief privacy officer at a large bank that has numerous branches in the state.
Because of the wide range of mandated actions, finding enough "time and capacity to implement this in a meaningful way" will be a big hurdle, said the CPO, who requested anonymity. "Pushing an unreasonable timeline to businesses will force many to duct-tape together a [security] program that appears to meet the requirements but offers little real protection," he warned.
Last month, a coalition of 70 organizations — including the Retailers Association of Massachusetts, the Massachusetts Bankers Association, the Greater Boston Chamber of Commerce and companies such as Wal-Mart, Target, Microsoft and Google — submitted a petition to the OCABR asking for a "rigorous stakeholder analysis" of the regulations.
The petition questioned the third-party data-handling rules and the need for mandatory encryption, data inventories and limits on the information that companies collect. It also described the May 1 compliance deadline as "overly aggressive" and called for a phased approach like New Jersey's.
"A vast majority of companies in Massachusetts and around the country know nothing about this regulation," said Jon Hurst, president of the Retailers Association of Massachusetts.
Hurst said the Boston-based trade group isn't opposed to the idea of improving data security. But he questioned the wisdom of requiring companies to adopt costly new security measures at a time when many are struggling "just to make payroll" because of the economic recession.
The OCABR didn't respond to requests for comment about the revision of the rules and the extension of the compliance window — the second one granted in the past three months by the agency, which originally wanted companies to comply by the start of this year.
However, in a statement included in the Feb. 12 announcement of the changes, Daniel Crane, the agency's undersecretary, tacitly acknowledged that even the May deadline was too soon for some companies.
"These new safeguards are fundamental standards that will keep information safer and will help businesses reinforce a vital sense of trust with customers," Crane said. But, he added, "it's worth making sure every business in the state has time to make the necessary changes to comply with these regulations." Crane also said that state officials "understand the impact of the current business environment" on companies.
The regulations initially mandated that companies get third-party service providers with access to personal data to certify that they were compliant with the rules. Under the revised version, businesses only have to take "all reasonable steps" to ensure that third parties are applying controls comparable to the ones spelled out by the OCABR.
Deborah Birnbach, an attorney at Boston-based Goodwin Procter LLP, said the third-party provision was a "very impractical and intrusive" mandate that would have required companies to rewrite their contracts with outside providers. That would have been onerous, according to Birnbach — especially for large businesses that deal with many third parties. "Our clients have been somewhat up in arms," she said.
But not everyone has a dire view of the new rules. Chris Cahalin, director of network operations at Papa Gino's Inc., said the Dedham, Mass.-based restaurant chain was on track to meet the requirements before the latest extension of the compliance deadline.
One of the keys to achieving compliance is to make sure that senior executives are aware of the regulations, Cahalin said. "Once you get management involved at that level, it makes it easier to go along. Then you can go on to educating users" — while also seeking their help in determining where personal data exists in systems, he said.
A large Massachusetts-based retailer was also on track to comply with the new rules by May, according to a network administrator there who asked not to be identified. The admin noted that the retailer already meets many of the encryption requirements as a result of its compliance with the Payment Card Industry Data Security Standard, a set of mandates imposed on merchants by the major credit card companies.
The only new thing the retailer is doing because of the regulations, he added, is installing a file-transfer process management system from Ipswitch Inc. to ensure that data moving across its internal network is fully encrypted. The tool "basically uses encryption as part of the transport mechanism," the network admin said.
But the bank CPO said that in many ways, the Massachusetts rules are more prescriptive than the security and privacy provisions of the federal Gramm-Leach-Bliley Act are. And, he added, it took many years for the bank to become fully compliant with that law after it was approved in 1999.
Compworld