An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part 4 of 5
Massachusetts Senate Bill No. 173 (PDF file) introduced earlier this year, would amend M.G.L. 93H (Massachusetts data protection law) and effectively water down the Office of Consumer Affairs and Business Regulation's (OCABR) authority (as well as their data protection regulations) on a few fronts. I'm reviewing four of the proposed changes in separate posts. Today, I'll examine a proposed change which requires different strokes for different folks, or rather different legal standards for protecting people's personal data. The proposed change adds,
Notwithstanding the rules adopted by the department [OCABR] ..., said department shall create separate regulations for small businesses ... that reflect said small businesses unique situation and resources.
Thus, under this proposed change, the law would not apply evenly, but would depend on the size of the business and require separate standards be promulgated for small businesses. Perhaps it sounds reasonable when looked at from the perspective of protecting small businesses, but this change implies a person's privacy rights matter less depending on who is allowing them to be trampled upon. Should the law allow for different standards when it comes to individuals' rights or should the emphasis be on protecting the absolute rights held by individuals instead?
If your identity is stolen because a company you do business with collects your personal identifying information and negligently fails to protect it, do you care what size company they are or do you feel that perhaps the offending company shouldn't be held accountable because of their "unique situation and resources." Peoples' privacy rights shouldn't be protected a little bit--depending on who is violating them--they should be protected, period.
Recall, the first set of regulations have been delayed again and again--now more delays will likely be needed for new regulations to be adopted for small businesses. On November 12, 2008, the Office of Consumer Affairs and Business Regulation (OCABR) extended the deadline for compliance with its standards for how businesses protect and store consumers' personal information. On February 12, 2009, they filed revised ID theft regulations that would take effect, Jan. 1, 2010, stating in their press release,
The regulations will take effect Jan. 1, 2010, and mandate that personal information – a combination of a name along with a Social Security number, bank account number, or credit card number – be encrypted when stored on portable devices, or transmitted wirelessly or on public networks. Encryption of personal information on portable devices carrying identity data like laptops, PDAs and flash drives must also be completed by Jan. 1, 2010, and will ensure better protection of personal information.
“It is time for businesses and other holders of personal information to ensure that consumers’ information is kept safe,” said Daniel C. Crane, the Undersecretary of the Office of Consumer Affairs and Business Regulation. “These new safeguards are fundamental standards that will keep information safer and will help businesses reinforce a vital sense of trust with customers.”
The regulations are a product of the identity theft prevention law signed by Gov. Deval Patrick. In keeping with the administration’s commitment to protecting consumers, Patrick signed an executive order last September requiring all state agencies to implement security measures consistent with the requirements in the regulations.
Since November 2007, there have been over 450 reported cases of stolen or lost personal information that have affected nearly 700,000 Massachusetts residents. The regulations are the first of their kind in the country, and had originally been scheduled to take effect on Jan. 1, 2009. A sharp change in the business climate, along with the business community’s increased understanding of what is required to protect their customers’ identity, led to the new date.
“Businesses are becoming more aware of the urgency of this issue. To achieve the full benefit for consumers as quickly as possible, it’s worth making sure every business in the state has time to make the necessary changes to comply with these regulations,” Crane said. “We understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections.”
OCABR's approach has seemed and continues to seam reasonable. This proposed legislative change (requiring new standards for small businesses), by contrast, seems rather odd. As my last post discussed a proposed legislative change which would prevent OCABR from even requiring encryption or any other specific methods in its regulations. If the regulators can't require specific methods in their regulations, in what way will the small business standards be any different that the other regulations being watered-down?
Unfortunately, enacting changes that lead to further delay simply ignores the real problem of consumer privacy invasions occurring today and which will continue while the time consuming task of formulating new regulatory schemes unfolds. Perhaps this change, however, is more about the added timing element and the further delay required to adopt, advertise, and implement new regulations. Otherwise, it's perplexing, why would legislators pass a law in the first place and not even allow the adopted data protection regulations be implemented before tinkering with the enabling law?
Time, energy, and resources have already been expended to put a consumer data protection law in place. Why wouldn't the legislature first see how it goes before gutting it? Were the lawmakers unaware of what they were doing when they passed the law in the first place? Or have certain lobbying efforts made the difference in a law that hasn't even gotten out of the starting blocks?
Many legislators had the courage to pass a consumer protection law to help protect people from some of the perils of the information age we find ourselves living in. The law they passed will help to safeguard peoples' personal identities and to bring protective measures into the forefront of the entire business community nationwide. I hope our legislators have the conviction to stick to their guns and to let their efforts lead the way. While no legislation by itself will be a panacea against identity theft or other data protection woes, allowing an enforceable law to proceed as currently written and planned demonstrates political conviction as well as a commitment to Massachusetts consumers.
Other parts of this series:
Kevin, Great blog you've been doing here! I agree with where you're coming from in that if we are trying to give people a "right" to have their information protected, that right becomes meaningless if you exempt small businesses.
However, I see where the other side is coming from -- the TJX case, where 94 million(!) credit accounts were stolen at once, was really where a lot of the impetus for this regulation came from. My company works with a lot of small law offices and small businesses who are very worried about how much 201 CMR 17 compliance will cost, and how much it will impact their day-to-day business operations.
For example, it is very common for a homeowner to request some paperwork from their real estate attorney during tax season. Usually this would take the form of a PDF file which might contain a few dozen scanned pages, one of which might have a Social Security number on it somewhere. While email is a fundamentally insecure system, any hacker running an email-sniffing operation would be going after much "fatter" targets than this, i.e. passwords for credit databases containing thousands or millions of social security numbers, etc. It simply wouldn't be worth the hacker's time to read through every PDF that passes through a small attorney's email in order to find a single social security number buried somewhere inside.
As part of the $99.95 "Compliance Kit" that we have put together for the small businesses we work with, we have tested and recommended the best affordable secure email solutions; however pretty much all of these solutions have limitations that make them more difficult to use than regular insecure email. For instance, many of them have incompatibilities with smartphones, older PCs, Macs, etc. Pretty much all of them require the person you are sending to to go through several extra steps when they receive the message, and some of them also have limits on attachment size, limits on fonts and pictures within the email, etc.
Moreover, if the regulations make it quite clear that they can't use email, the majority of these attorneys are going to switch to using fax instead -- which is also a fundamentally insecure system (it can be easily sniffed by a simple phone tap, or in many cases you don't know who is standing next to the fax machine on the other end) but isn't addressed specifically in 201 CMR 17 anywhere.
Keep up the great blogging, it's good to see that other people are starting to think about what 201 CMR 17 really means.
Thanks,
Patrick
It is upsetting to see that the first cutting edge law in the nation, will eventually be; shot, gutted, and hung out to dry. All of the provisions of 201 CMR 17, are attainable for all businesses regardless of size. The technology is there, the means to achieve it is there, the desire to achieve it is not!
The cost's of achieving compliance for each business is far less than the $60 billion dollars that was lost in 2008, to identity thieves. Identity theft cost each working age American approximately $360 in higher prices and fee's last year, which was passed on to them by the businesses that lost their information in the first place!
Setting separate rules for larger businesses then smaller businesses is also an improper practice. I routinely visit small businesses at night and find cancelled employee and consumer checks, loan applications, credit card receipts laying in the trash can for anyone to remove. When I confront the businesses owners they tell me they were unaware of the laws or that they couldn’t just toss them away!
Owning a business is the United States is "NOT" a right, it's a privilege. With that privilege, comes the responsibility to protect the information they receive from consumers and employees regardless of size!
As you can see I get really worked up when it comes to the subject of identity theft. During my career in law enforcement, I investigated many identity theft cases. After retiring, I started a document destruction business to help prevent these crimes in my own little way. Imagine how shocked I was when I was find out I became a victim of identity theft because a security firm I once moonlighted for went out of business and discarded my information in the trash! Then, more recently; I became a victim of credit card fraud (can you say Heartland!). I am still feeling the effects of both incidents.
You see, It really doesn’t matter to me if my information was stolen from a small or large business. What matters is that it was allowed to be stolen at all!
After the first incident I went on a quest to help businesses protect consumer information and Massachusetts finally provided the right tools to do it.
I thought Massachusetts would be the first state to fix this problem and all other would follow suit, I guess I was wrong.