An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part 5 of 5

Posted on August 5, 2009 by Kevin Whitaker

Massachusetts Senate Bill No. 173 (PDF file or see full text below) introduced this year, would amend M.G.L. 93H and effectively water down the Office of Consumer Affairs and Business Regulation's (OCABR) authority on a few fronts. I've addressed a few of these in past posts.

After a short vacation, today I'll briefly be addressing the fourth proposed change, but more importantly the sum of all the proposed changes, because I fear they fail to protect consumers and their privacy rights, but instead seem very good at protecting certain business interest aided by powerful lobbying efforts

Briefly, under the fourth proposed change, employees could be terminated for willful violations of the law, regulations, or written information security plans.

While I'm not going to attack this language (although you can see the proverbial passing of the buck coming here), it make me ask, "As a group, did any of the four proposed changes help consumers while guarding individuals' privacy rights?"

Let's review a summary of the three changes I've previously discussed:

  1. Businesses would not have to comply with any Massachusetts state regulations with stricter standards than federal law
  2. Ensures OCABR is prevented from requiring specific technology or methods be employed. Thus, the proposed amendment effectively guts OCABR's encryption requirement (and its power to do so in regulations).
  3. The law would not apply evenly, but would depend on the size of the business and require separate standards be promulgated for small businesses, thus implying a person's privacy rights matter less depending on who is allowing them to be infringed upon. This would also add more delay as more layers of regulations are adopted.

The answer to my earlier question, I'm afraid, is a resounding "No," none of the four four proposed changes help consumers while guarding individuals' privacy rights--thus the title of this series of posts, "An Act Ensuring Less Privacy of Massachusetts Resident's Data" which is a play on the proposed act's title "An Act Ensuring the Privacy of Certain Data."

As stated in other posts, privacy rights simply aren't being treated as rights held by individuals but rather as things or issues to be regulated. With economic considerations, lobbying, and political influence guiding the outcome, it appears that short-term economic arguments may continue trumping individuals' privacy concerns. In the end, so long as economic incentives and business interests are placed before individuals' rights, then privacy rights can't really exist, no matter what we call or title them.

The full text of Senate Bill 173, An Act Ensuring the Privacy of Certain Data, is below. Funny, I don't think this is available anywhere else on the web except in PDF. Why is that?

 

SECTION 1. Section 2 of Chapter 93H of the General 1 Laws, as appearing in the 2006 Official Edition, is hereby amended by striking out subsection (a) and inserting in place thereof the following:(a) The department of consumer affairs and business regulation may adopt regulations relative to any person or agency that owns or licenses personal information about a resident of the commonwealth. Such regulations shall be designed to safeguard the personal information of residents of the commonwealth and shall be consistent with the safeguards for protection of personal information set forth in the federal regulations by which the person or agency is regulated. The objectives of the regulations shall be to: insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer. The department shall not in its regulations, however, require covered persons to use a specific technology or technologies, or a specific method or methods for protecting personal information.

The regulations shall take into account the person’s size, scope and type 15 of business, the amount of resources available to such person, the amount of stored data, and the need for security and confidentiality of both consumer and employee information. Notwithstanding the rules adopted by the department pursuant to the provisions above, said department shall create separate regulations for small businesses covered by this chapter that reflect said small businesses unique situation and resources.

Any person who is required to comply with federal laws, rules, regulations, guidance, or guidelines safeguarding personal information is deemed to be in compliance with this chapter.

SECTION 2. Section 6 of Chapter 93H of the General Laws is hereby amended by adding at the end thereof the following: A willful violation of this chapter or regulations implementing this chapter, or a written information security plan issued by a person covered by state or federal privacy laws shall provide just cause for the termination of an employee, whether the employee is employed by a private person, public agency or political subdivision of the state.

 

For more posts from this Series see:

If you are interested in tracking Senate Bill 173 or others, perhaps this resource from the University of Iowa law library may be helpful. Here are a few of the helpful offerings or resources available there.
Tags: , , , , , , ,

An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part 4 of 5

Posted on July 13, 2009 by Kevin Whitaker

Massachusetts Senate Bill No. 173 (PDF file) introduced earlier this year, would amend M.G.L. 93H (Massachusetts data protection law) and effectively water down the Office of Consumer Affairs and Business Regulation's (OCABR) authority (as well as their data protection regulations) on a few fronts. I'm reviewing four of the proposed changes in separate posts. Today, I'll examine a proposed change which requires different strokes for different folks, or rather different legal standards for protecting people's personal data. The proposed change adds,

Notwithstanding the rules adopted by the department [OCABR] ..., said department shall create separate regulations for small businesses ... that reflect said small businesses unique situation and resources.

Thus, under this proposed change, the law would not apply evenly, but would depend on the size of the business and require separate standards be promulgated for small businesses. Perhaps it sounds reasonable when looked at from the perspective of protecting small businesses, but this change implies a person's privacy rights matter less depending on who is allowing them to be trampled upon. Should the law allow for different standards when it comes to individuals' rights or should the emphasis be on protecting the absolute rights held by individuals instead?

If your identity is stolen because a company you do business with collects your personal identifying information and negligently fails to protect it, do you care what size company they are or do you feel that perhaps the offending company shouldn't be held accountable because of their "unique situation and resources." Peoples' privacy rights shouldn't be protected a little bit--depending on who is violating them--they should be protected, period.

Recall, the first set of regulations have been delayed again and again--now more delays will likely be needed for new regulations to be adopted for small businesses. On November 12, 2008, the Office of Consumer Affairs and Business Regulation (OCABR) extended the deadline for compliance with its standards for how businesses protect and store consumers' personal information. On February 12, 2009, they filed revised ID theft regulations that would take effect, Jan. 1, 2010, stating in their press release,

The regulations will take effect Jan. 1, 2010, and mandate that personal information – a combination of a name along with a Social Security number, bank account number, or credit card number – be encrypted when stored on portable devices, or transmitted wirelessly or on public networks. Encryption of personal information on portable devices carrying identity data like laptops, PDAs and flash drives must also be completed by Jan. 1, 2010, and will ensure better protection of personal information.

“It is time for businesses and other holders of personal information to ensure that consumers’ information is kept safe,” said Daniel C. Crane, the Undersecretary of the Office of Consumer Affairs and Business Regulation. “These new safeguards are fundamental standards that will keep information safer and will help businesses reinforce a vital sense of trust with customers.”

The regulations are a product of the identity theft prevention law signed by Gov. Deval Patrick. In keeping with the administration’s commitment to protecting consumers, Patrick signed an executive order last September requiring all state agencies to implement security measures consistent with the requirements in the regulations.

Since November 2007, there have been over 450 reported cases of stolen or lost personal information that have affected nearly 700,000 Massachusetts residents.  The regulations are the first of their kind in the country, and had originally been scheduled to take effect on Jan. 1, 2009. A sharp change in the business climate, along with the business community’s increased understanding of what is required to protect their customers’ identity, led to the new date.

“Businesses are becoming more aware of the urgency of this issue. To achieve the full benefit for consumers as quickly as possible, it’s worth making sure every business in the state has time to make the necessary changes to comply with these regulations,” Crane said. “We understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections.”

OCABR's approach has seemed and continues to seam reasonable. This proposed legislative change (requiring new standards for small businesses), by contrast, seems rather odd. As my last post discussed a proposed legislative change which would prevent OCABR from even requiring encryption or any other specific methods in its regulations. If the regulators can't require specific methods in their regulations, in what way will the small business standards be any different that the other regulations being watered-down?

Unfortunately, enacting changes that lead to further delay simply ignores the real problem of consumer privacy invasions occurring today and which will continue while the time consuming task of formulating new regulatory schemes unfolds. Perhaps this change, however, is more about the added timing element and the further delay required to adopt, advertise, and implement new regulations. Otherwise, it's perplexing, why would legislators pass a law in the first place and not even allow  the adopted data protection regulations be implemented before tinkering with the enabling law?

Time, energy, and resources have already been expended to put a consumer data protection law in place.  Why wouldn't the legislature first see how it goes before gutting it? Were the lawmakers unaware of what they were doing when they passed the law in the first place? Or have certain lobbying efforts made the difference in a law that hasn't even gotten out of the starting blocks?

Many legislators had the courage to pass a consumer protection law to help protect people from some of the perils of the information age we find ourselves living in. The law they passed will help to safeguard peoples' personal identities and to bring protective measures into the forefront of the entire business community nationwide. I hope our legislators have the conviction to stick to their guns and to let their efforts lead the way. While no legislation by itself will be a panacea against identity theft or other data protection woes, allowing an enforceable law to proceed as currently written and planned demonstrates political conviction as well as a commitment to Massachusetts consumers.

Other parts of this series:

 
Tags: , , , , , , , ,