Massachusetts Data Protection Law Delayed Again—Is Your Company (Still) At Risk?

David Ting
Feb 03, 2012

A recent BankInfoSecurity article reported that the Massachusetts Data Protection Law has been delayed yet again, pushing the new effective date back to March 1, 2010. As part of the law, organizations are required to protect confidential data – social security numbers, driver license numbers and financial account/credit/debit card numbers – of Massachusetts citizens. The regulation covers all non-public data, regardless of how the company obtains the information.

However, the state’s Office of Consumer Affairs and Business Regulation (OCABR) modified its data security regulations by facilitating a 'risk-based approach' to data security to help small businesses better comply with these regulations. These new amendments take into consideration the size of a business and the amount of personal information it manages, and this is directly linked to the type of security plan that business operates.

As I mentioned in a November 2008 blog post, Massachusetts Data Privacy Regulations – Are You Protected? -- the need for strong authentication and solid access management policies is apparent as all companies, regardless of location and size, need control over who is accessing what information, how and from where and equally important to maintain detailed audit records. These regulations were put in place to ensure companies are doing just that – taking the proper steps to provide a comprehensive security posture that prevents unauthorized access to confidential customer information. This is especially important in preventing a data security breaches as the insider threat continues to escalate.

Nevertheless, this marks the third time in the past 8 months the law has been extended, - perhaps underscoring the point that Massachusetts-based companies may notbe prepared or equipped with the security solutions necessary to properly protect their critical customer data …begging the question: is your organization still at risk of a data breach or unauthorized access.

As I said in 2008, the deadline will be here before you know it and the last thing you don’t want to find your company at risk for being non-compliant. Pushing off compliance-driven activities because the deadline is extended only increasesthe potential for a breach. If the penalties are not enough to warrant taking action, think about the potential damages to your company’s reputation if such a breach were to occur.

Is your organization compliant with the Massachusetts Data Privacy Regulations? If so, what security policies have you implemented to ensure the integrity of your organization?