Massachusetts Privacy Law Stalled-Out Again and Weakening
In previous posts, I discussed the legislative amendment being kicked around that would weaken the MA data security law (M.G.L. 93H).
- An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part One
- An Act Ensuring Less Privacy of Massachusetts Residents' Data, Part 2 of 5
- An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part 3 of 5
- An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part 4 of 5,
- An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part 5 of 5.
Well, it appears the legislative change may not be necessary as the latest and ungreatest regulatory scheme changes appear to do the hatchet job for them. Too bad. In short, it's not good news for Massachusetts consumers or their privacy rights as privacy rights seem, once again, to be taking a backseat to political influences.
The Official Website of the Office of Consumer Affairs & Business Regulation (OCABR) states:
BOSTON – Aug. 17, 2009 – ... The updated regulations will take effect March 1, 2010. The regulations make clear that their approach to data security is a risk-based approach that is especially important to small businesses that may not handle a lot of personal information about customers. Under a risk-based approach, a business, in developing a written security program, should take into account its size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations.
...
New language in the regulations recognizes that the size of a business and the amount of personal information it handles plays a role in the data security plan the business creates. The new language requires safeguards that are appropriate to the size, scope and type of business handling the information; the amount of resources available to the business; the amount of stored data; and the need for security and confidentiality of both consumer and employee information.
The changes, Anthony said, make clear the regulations are risk-based in implementation, not just in enforcement as had been the case in earlier versions of the regulations. In addition, the regulations are technology neutral and acknowledge that technical feasibility plays a role in what many businesses, especially small businesses can do to protect data. The overall approach is more consistent with federal law, she said.
...The Office of Consumer Affairs and Business Regulation today sent to the Secretary of State notice of public hearing on the changes. That hearing will be held on Tuesday, Sept. 22, at 10 a.m. at the Transportation Building, 10 Park Plaza, Boston.
For more information about identity theft protection, visit the Office of Consumer Affairs and Business Regulation website, www.mass.gov/consumer.
