SBANE Hosts Panel on Commonwealth of Massachusetts’ New Data Protection Rules
Massachusetts General Counsel for the Office of Consumer Affairs and Business Regulations Among Speakers on Data Security Laws to Take Effect in March 2010
(Waltham, MA, December 1, 2009)—
Panelists from the worlds of information technology, data security and internet law joined Massachusetts General Counsel for the Office of Consumer Affairs and Business Regulations Diane Lawton in discussing the Commonwealth’s new protection rulesat the Smaller Business Association of New England (SBANE) Profitable Connections event held today in Waltham titled “Data Security: Truth or Consequences.” The rules go into effect on March 1, 2010.
“What we were hoping to accomplish with this event was to encourage small businesses to get ahead of the data security issue, in advance of March 1, 2010 when the new regulations will go into effect,” said Bob Baker, President of SBANE. “The more educated small businesses can become about data security, the less risk they will have to face. The headaches of dealing with a data breach and the potential loss of customer trust can be significant obstacles to overcome, so being proactive to prevent them from happening in the first place is of the utmost importance to our members and small businesses throughout the commonwealth.”
“Businesses need to assess their data security risks and their ability to handle a security breach,” said Lawton. “While there is not one set rule on how much security is enough, businesses should know that the regulations are open to the fact that technology changes and security updates will need to be made by business owners.”
The new regulations state that any business or person that owns, licenses, receives or otherwise has access to personal information (PI) of a Massachusetts resident must safeguard that information in both paper and electronic formats. Businesses will now have to provide the following:
· A Written Information Security Program (WISP)
· Encryption of all PI stored on laptops or other portable devices
· Encryption of all PT records and files that are transmitted across public networks, and that are transmitted wirelessly
· Employee training, and monitoring of employee compliance.
The Massachusetts regulations will differ from the federal regulations in a couple of key areas. First, the rules will apply broadly to all businesses as opposed to federal regulations like Sarbanes Oxley or Health Insurance Portability and Accountability Act (HIPAA) which only apply to financial and healthcare data respectively. Second, encryption will be required of laptops or other portable devices, and when data travels over public networks. There will also be greater computer system security requirements.
“The time is right now for businesses to conduct a security risk assessment, to establish a comprehensive Written Information Security Program, to train their employees and talk them through the organizations security practices,” said David Wilson, Esq. from Hirsch Roberts Weinstein, LLP who spoke at the event and provided history on data breach law in Massachusetts. “At the end of the day the new regulations are good for businesses and will help prevent identity theft, which for anyone who has had this happen to them can tell you it is a terrible thing.”
“When analyzing their current security protocol, companies need to say to themselves, ‘What would my customer say about our level of protection?’” said Panelist Jacob Braun, President of Waka Digital Media Corporation, a technology and security services provider serving the needs of small business across the commonwealth. “Businesses should realize that they have an ethical responsibility to protect their clients in the manner outlined in the new state and existing federal regulations.”
“Assuming that since your company’s data has never been hacked into before, it will not be attacked in the future, is foolish,” said Panelist Frank Vincentelli, Chief Technology Officer of Integrated IT Solutions, a computing services company serving businesses and organizations in the Eastern Massachusetts area. “The methods of data intrusion are constantly changing, but then so are the methods to defend against attacks, and the regulations around data security. Business need to educate themselves as to the latest security technology available so they can ultimately protect their data to the best of their ability.”
For more information on the new regulations, businesses can go to the Massachusetts Office of Consumer Affairs and Business Regulations website at http://www.mass.gov/?pageID=ocatopic&L=3&L0=Home&L1=Business&L2=Identity+Theft&sid=Eoca
About the Smaller Business Association of New England (SBANE)
The Smaller Business Association of New England is a nonprofit organization established in 1938 to promote and protect small businesses. Its 1000 member companies in six states range from sole-proprietorship service businesses and growing high technology firms to 200-employee manufacturing plants. SBANE's programs and services address the shared interests and needs of its diverse membership.