Breach, Compliance Management, Data Security, Encryption

Massachusetts data security law compliance extended

Facing pressure from business owners, Massachusetts officials on Thursday extended the deadline to comply with the state's controversial data security regulations from May 1 until Jan. 1, 2010.

No reason was given for the eight-month extension, announced by the state Office of Consumer Affairs and Business Regulation. This is the second time the compliance date was extended. The law originally was scheduled to take effect Jan. 1 of this year.

Many business groups have been publicly critical of the regulations, which require any business that collects personal information of state residents to encrypt all portable devices, wireless transmissions and public networks. In addition, among other provisions, the law forces businesses to have a dedicated employee in charge of security, control access of workers and regularly monitor the security program.

In January, business owners and advocates convened at a public hearing on the regulations, saying the rules will hurt business and cost too much to comply with.

Nagraj Seshadri, product marketing manager at endpoint encryption firm Utimaco, attended the hearing.

"Basically, [they said] it's too prescriptive and it places a big burden on companies to comply," he told "I think they wanted more time for compliance and the provisions to be less prescriptive."

He added that some businesses, especially smaller ones, had not even heard about the regulations.

Alan MacDonald, executive director of the Massachusetts Business Roundtable, a 70-member group of business leaders, said the law would force businesses that already have robust security measures in place to spend even more.

"It's just that some companies already have what they believe to be pretty good systems [to protect privacy]," he told "The new law says to get rid of those systems and use the technology that meets the prescription of the new regulation."

The Consumer Affairs Office, though, said the rules will help stem the rash of data breaches. In a news release on Thursday, officials said more than 450 cases of lost or stolen information has impacted some 700,000 state residents since 2007.

"It is time for businesses and other holders of personal information to ensure that consumers' information is kept safe," Consumer Affairs Office Undersecretary Daniel Crane said. "These new safeguards are fundamental standards that will keep information safer and will help businesses reinforce a vital sense of trust with customers."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.