On March 1, new data privacy regulations became effective in the Commonwealth of Massachusetts. The new regs require organizations that have access to personally identifiable information belonging to Massachusetts residents to take "comprehensive measures to protect" that information. If there is a breach that puts that information at risk, the organization is responsible for notifying the resident to whom the information belongs, as well as the Massachusetts Attorney General's Office.
But what's not exactly clear yet is how Massachusetts plans to enforce the requirements. Boston privacy attorney Cynthia Larose, a member of the law firm of Mintz Levin, told me last week that the uncertainty is rather frustrating for the business community.
Part of the problem lies in the fact that the attorney general's office must enforce regulations promulgated by the Office of Consumer Affairs and Business Regulation, Larose says. They're two different agencies with two different staffs, and apparently neither wants to talk about how the regulations will be enforced.
That doesn't mean, though, that affected companies can sit back on their heels and wait for a declaration from on high before they do anything. The regs apply now, and the minute the attorney general's office gets the obligatory call that a breach has occurred, "Those folks will get a call," Larose says.
In other words, before a formal investigation begins -- before the AG's office even sends out a letter -- regulators will be asking questions about that company's information security plan and why it didn't work. Her advice, even while the enforcement approach is still murky? Have a plan. And "...even if they don't have the plan in place now, if it's not completely implemented, they should start getting something moving and make a good faith effort to comply."