Privacy Law and Policy : Privacy Lawyer & Attorney : Kevin Whitaker Law Firm : Patient Confidentiality, Defamation, Identity Theft : Privacy Law & Policy Blog

Massachusetts Senate Bill No. 173 (PDF file) introduced earlier this year, would amend M.G.L. 93H (Massachusetts data protection law) and effectively water down the Office of Consumer Affairs and Business Regulation's (OCABR) authority (as well as their data protection regulations) on a few fronts. I'm reviewing four of the proposed changes in separate posts. Today, I'll examine a proposed change which requires different strokes for different folks, or rather different legal standards for protecting people's personal data. The proposed change adds,

Notwithstanding the rules adopted by the department [OCABR] ..., said department shall create separate regulations for small businesses ... that reflect said small businesses unique situation and resources.

Thus, under this proposed change, the law would not apply evenly, but would depend on the size of the business and require separate standards be promulgated for small businesses. Perhaps it sounds reasonable when looked at from the perspective of protecting small businesses, but this change implies a person's privacy rights matter less depending on who is allowing them to be trampled upon. Should the law allow for different standards when it comes to individuals' rights or should the emphasis be on protecting the absolute rights held by individuals instead?

• Email This
• Print
• Comments (2)
• Trackbacks

Massachusetts Senate Bill No. 173 (PDF file) introduced by Senator Michale W. Morrissey this year, would amend M.G.L. 93H and effectively water down the Office of Consumer Affairs and Business Regulation's (OCABR) authority on a few fronts. I'm taking each one up in a separate post. Today, I'll address a proposed change that involves encryption and specific technologies and adds the following language,

The department [OCABR] shall not in its regulations, however, require covered persons to use a specific technology or technologies, or a specific method or methods for protecting personal information.

To put this proposed change in the proper context, you must know OCABR's current regulations require data be encrypted. Unlike today, this proposed change would ensure OCABR is prevented from requiring specific technology or methods be employed. Thus, the proposed amendment effectively guts OCABR's encryption requirement (and its power to do so in regulations). Not only does this weaken the agency helping protect consumers' data, but it takes the bright lines out of the regulations and makes the revised law effectively fuzzy at best. In sum, the change leads to foreseeable ambiguity and real world enforcement problems.

Who does this change really protect?

• Email This
• Print
• Comments
• Trackbacks

Massachusetts Senate Bill No. 173 (PDF file) introduced this year, would amend M.G.L. 93H and effectively water down the Office of Consumer Affairs and Business Regulation's (OCABR) authority on a few fronts. I'm taking each one up in a separate post and today, I'll address the first proposed change.

If SB 173 is enacted, businesses would not have to comply with any state regulations with stricter standards than federal law.  While businesses need to comply with federal law, this should not stop states from implementing higher standards to protect their residents. This suggested revision hurts individuals' privacy rights as compliance is limited to the lowest common denominator and doesn't aspire to improve safeguards beyond minimum standards.

While some commentators previously commended MA for leading the way on data privacy protections, this proposal brings us back, at best, to the status quo--a review of data breach news headlines demonstrates the status quo simply isn't working or protecting peoples' privacy. MA has a chance to take the lead in protecting individuals' privacy rights and punting isn't the best option.

In the end, so long as economic incentives and business interests are placed before individuals' rights, then privacy rights are at risk. I hope Massachusetts opts to lead the way on protecting privacy and doesn't adopt the proposed amendment. 

The timing of this proposed amendment baffles me, why gut a law the state legislature passed that hasn't even been given a chance to work?

Next, I'll discuss the data encryption and data protection methods that are being stripped away under the proposed change.

• Email This
• Print
• Comments
• Trackbacks