Truth or Delusion? - Myths and Misunderstandings about the Massachusetts Data Security Regulation. Part I
March 4, 2018
As of this past Monday, the nation’s “most comprehensive data protection law” went into effect, yet many questions remain as to how the regulation will be interpreted and enforced. The law was promulgated by the Office of Consumer Affairs and Business Regulation. While OCABR put it together, the Massachusetts Attorney General is charged with enforcement. As of this writing, I found nothing posted on the AG’s web site that addresses interpretation or enforcement. So business owners and their legal and technical advisors are left to their own best guess.
More surprising, many business owners are not even aware of the new law or mistakenly believe that it does not apply to them. For instance, here are several myths surrounding the new law:
Myth 1 – “Businesses located out of state do not need to comply.” This is false. The regulation applies to any business wherever located that has access to “Personal Information.” Personal Information, or PI, is a Massachusetts resident’s name in combination with certain identity or financial data, such as a social security number, driver’s license, bank or credit card account number, etc. The regulation does not distinguish between an in-state or out-of-state business.
Myth 2 – “The regulation only applies to bigger businesses with several employees and volumes of Personal Information. It doesn’t apply to small Mom and Pop businesses.” This is false. The regulation applies even if you have just one employee or customer as long as you have access to Personal Information.
Myth 3 – “I am in a health care or financial services business that is already regulated under federal privacy laws (i.e. HIPAA or GLBA), so we are already covered.” This is false. The federal laws are extensive but they do not perfectly overlap with the Massachusetts regulation. For instance, those laws are geared toward patients and customers, but Massachusetts also includes employees. And the requirements for the written information security plan (WISP) are not identical. That said, there are similarities in the requirements, so an organization that is already comfortable with HIPAA or GLBA probably will not have to do very much to achieve compliance in Massachusetts.
In my next article I will explore additional myths.