Changes are coming to Massachusetts businesses. Bank Systems & Technology reported:
"... come May 1, [companies and banks] will have to be mindful of strict new rules coming from the Commonwealth of Massachusetts around data security. The Massachusetts Data Security Regulations are perhaps like no other in terms of their depth and scope... They go beyond the rules of other states and the federal government that simply require companies to notify their customers of theft of their personal information."
There are several personal data items consumers must protect. Companies and banks keep a wide range of sensitive data about consumers (e.g., customers, employees, contractors, and former employees) which they don't always protect. What makes the Massachusetts law stricter:
"... companies, including banks, that handle the personal data of a Massachusetts resident must show they have in place a comprehensive, written information security program with heightened security procedures around how this information is handled. The rules also extend to entities' service providers and the degree to which they too much show they comply with the Massachusetts rules of handling data on residents. Companies have until May 1 to amend their vendor contracts to reflect this and until Jan. 1, 2010 to certify their vendors comply. Furthermore, companies must comply with these rules even if they do not have a single office in the Bay State or if they are in an already heavily regulated industry, like financial services. As long as customers in businesses' databases reside in Massachusetts, those companies are affected by the rules."
Now that's a law I like. Clear data security protections for consumers. There's more:
"Under the rules, companies have a duty to monitor their security programs on an ongoing basis... The safeguards in the program must be administrative, technical and physical in nature. Entities will be required to identify all records used to store personal information... Businesses must also identify and assess both internal and external risks to the organization. Once these steps are completed, they must then evaluate (and improve, if necessary) the safeguards in place around such areas as employee training and physical security... companies will be obligated to limit the collection and use of personal information. They must identify the purposes for which they collect this kind of information and identify how long the wish to keep it and who can access it."
Since so many company data breaches have involved laptop computers and flash drives, the rules also cover employee training and:
"Companies will be required to encrypt data that is not only stored but also when it is being transmitted over networks or physically moved as when an employees take a laptop home."
Amen. That's pretty good legislation which covers most of the problem areas that cause data breaches. However, I would have liked to have seen specific protections in the legislation about RFID, and jail time for executives at companies that don't comply or experience repeated data breaches.
I encourage Massachusetts residents to write to their elected officials and thank them for these new data security. I encourage residents in other states to ask their elected officials what they are doing about data security so their state does not fall behind Massachusetts.