IT Compliance Advisor welcomes our newest blogger, Paul F. Roberts:
I recently had the pleasure of speaking to a group of security professionals in New York about Massachusetts’ toughest-in-the-nation data privacy and protection law. It was one of those mutually beneficial events that sometimes comes along: New York security professionals learned a little more about the guts of the Massachusetts law, and I got to pick their brains about what the law means for their employers, which rank as some of the largest IT shops in the nation.
My takeaway: Folks are only now starting to pay attention to this law and are very anxious about one big question — its enforcement.
There’s good reason for this concern. While the data protection law has been on the books for a couple of years, specific guidance on implementing it (201 CMR 17.00) just took effect at the beginning of March. The law’s passage was the culmination of a long and contentious fight among business leaders, state legislators and regulators over the scope and provisions of the law.
But now that 201 CMR 17.00 is “live,” the focus has shifted to the question of enforcement, as organizations with customers in Massachusetts try to divine how this law is different from all other laws. The questions and comments I fielded from top IT security practitioners in New York suggested there is lots of grey area. Here are some areas where enforcement actions by the Massachusetts AG can add some color.
Will there be any enforcement of this law, and if so, what for?
This is the big question. Word is that the state attorney general’s office is looking into violations of Massachusetts General Law (M.G.L.) 93H, but no actions against specific organizations or individuals have yet been taken. One likely possibility is that enforcement will follow disclosure of a breach, in accordance with M.G.L. 93H, or after details of a breach have been made public. Failure to comply with 201 CMR 17.00 used to punish firms retroactively. The Massachusetts Office of the Attorney General declined to comment on the question of enforcement.
Who is covered by the Massachusetts data protection law?
The guidance offered by 201 CMR 17.00 is pretty clear about the fact that this law applies to both individuals and corporate entities that manage data concerning Massachusetts residents, including both employee and customers. But legal experts who follow the law say there’s still considerable uncertainty about which entities will be the focus of enforcement actions — companies that manage consumer data, or just their own employees’ data, or both? According to one attorney at a prominent Boston law firm, “we still see the basic ‘We don’t have consumers — do we really have to comply with this?’ question.”
A key question is what kinds of data will get the attention of law enforcement. Mega breaches affecting consumers, like the breach at TJX, are at the root of M.G.L. 93H. There is no reason however, that regulators won’t take an equally tough stand on companies that are loose with employee data.
Also unclear is whether those charged with enforcing the requirements in 201 CMR 17.00 will focus on large corporations with customers in Massachusetts, or on smaller in-state firms first. The attorney I spoke with said that if a case involving an out-of-state entity presents itself (such as a major data breach), the AG has made clear that she will enforce the regulations in order to protect the interests of the affected residents of the commonwealth. This means that out-of-state firms are at risk of making Massachusetts’ law a de-facto national standard — at least until a tougher state law comes along.
What about mobile devices?
Of the eight IT-focused requirements in 201 CMR 17.00, one of the most contentious involves the security of wired and wireless (i.e., mobile devices) that contain information on Massachusetts residents. The IT pros I spoke with were understandably nervous about this one, and for good reason.
Many large enterprises are in the early stages of tracking and managing employee mobile devices. Yes, there are systems in place to enforce basic policies, but it’s an imperfect art and nobody I spoke with would say for sure they know what devices employees are using to check their email, or to log into work applications. With poor visibility into their mobile infrastructure, it’s hard to say which devices do and don’t contain personal information covered under M.G.L. 93H.
To ease tensions with the private sector, legislators in Massachusetts inserted the idea of “technically feasible” into the wording of the Massachusetts data privacy law concerning the security of data on mobile and wireless devices. This means that if there is a “reasonable means through technology to accomplish a required result, then it must be used.” What is a “reasonable means through technology?” That’s right, you ask the attorney general.
Is there any safe harbor for companies?
There was much disagreement on this among members of the New York audience, with IT security pros relating different messages from their own corporate counsel. In some cases, the opinion seems to be that encryption of personal information constitutes safe harbor from prosecution. In others, there’s a belief that if organizations take reasonable steps to protect customer data, such as layered security protections, they’ll have shown due diligence.
The attorney I spoke with said that companies can get safe harbor from M.G.L. 93H by encrypting covered data, and by complying with the many requirements of 201 CMR 17.00. But, like other regulations, organizations can have no “safe harbor” from the law itself. They can only be in compliance or out of compliance with it.
Paul F. Roberts is a senior analyst at The 451 Group in New York. Let us know what you think about the post; email firstname.lastname@example.org.