A bill being discussed in the Massachusetts Senate proposes major changes to MA GL 93H, the Data Breach Notification Act. These changes could in turn result in revisions to 201 CMR 17.00, the data protection regulation promulgated by the Office of Consumer Affairs and Business Regulation (OCABR), including removal of specific encryption requirements and deference to federal statutes.
- Image via Wikipedia
We wrote about it last week in “Mass. Senate seeks to amend, weaken data breach notification law.” As you know, we’ve been covering news on the nation’s most comprehensive data protection law since the beginning of the year, including a podcast with the OCABR CIO and general counsel:
Kevin Beaver, a contributor to SearchCompliance.com, offered his commentary on the situation nationally: “Are you out of the loop on state data breach notification laws?“
Sarah Cortes reminded the readers of SearchCompliance.com last week of the risk of penalties for violating data privacy laws.
Anne McCrory, editorial director for the CIO/IT Strategy Media Group at TechTarget, also has rung in with her view: “It’s time for a federal data protection act,” following Scot Petersen’s take: “Red Flags Rule delay reveals troubling pattern developing.”
Our sister site, SearchSecurity.com, posted some additional advice: Encrypt now to meet new Mass. data protection law.
So with all that out there, here’s what I’m wondering:
What do you think of the law?
What are your thoughts on the proposed revisions?
How are you approaching compliance with the regulation?
Do you have clients or partners that you are advising on the topic? What do they think?
I’ve been interviewing many of our readers on precisely these questions, including many thought leaders, CISOs, privacy officers and CIOs. I’d be grateful for your thoughts as well.
As you know, you can also find us @ITCompliance on Twitter