TDR, Privacy

Massachusetts data security law rule extended four months

November 18, 2008

Businesses have been given a little more slack in complying with Massachusetts' new stringent identity theft prevention regulations.

The state Office of Consumer Affairs and Business regulation (OCABR) recently extended the deadline for compliance from Jan. 1 until May 1.

Taking into consideration the economic uncertainties that businesses are facing, the office said it recognizes that additional time may be needed to comply with the new regulations, considered by many to be the most strict data security law in the United States.

Many businesses already have some ID theft measures in place, according to a news release from the OCABR. The regulations, though, provide a more comprehensive standard for how businesses must protect and store their customers' personal information.

The law applies to companies that have customers or employees in Massachusetts.

The regulations require businesses to take a number of measures including encrypting wireless-transmitted data, utilizing up-to-date firewall protection and only permitting authorized users to have access to or to transmit data, according to the OCABR.

Eddie Schwartz, CSO of NetWitness, a network security monitoring firm, said that during a recent event with customers, many security professionals expressed concern over meeting the Jan. 1 deadline and shoring up all the vectors through which data could leave an organization.

"This Massachusetts law is scaring the heck out of a lot of people," Schwartz told SCMagazineUS.com last week. He added that he expects many states to pass similar legislation in the coming months.

An OCABR spokeswoman told SCMagazineUS.com on Tuesday that the agency is trying to help end-users meet compliance through outreach and education.

This includes "speaking to local chambers of commerce and other interested stakeholders and making information available online such as a compliance checklist and a small business guide for formulating security programs," she said in an email.

May 1 also marks the deadline for compliance with the federal "Red Flags Rules" regulation, which require that creditors and financial institutions create and implement an ID theft prevention program. Last month, the Federal Trade Commission extended the deadline for compliance with the guidelines from the original Nov. 1 deadline until May 1, 2009.

The FTC said the deadline to be in compliance with the "Red Flags Rules" was extended because many companies would not be prepared by Nov. 1.

prestitial ad