As of March 2010, businesses and organizations that have access to personally identifiable information of Massachusetts residents will have to undertake "comprehensive measures to protect" that information. And according to Massachusetts law, such measures include express contract provisions with service providers that they, too, have systems and processes in place to protect that information.
Even though the compliance deadline is still months away, Compliance Week blogger Melissa Klein Aguilar says the new requirements have already proven costly, according to a survey of members of the International Association of Privacy Professionals. Conducted in conjunction with the law firm of Goodwin Procter, the IAPP survey found that 76 percent of those responding said they have access to personal information of Massachusetts residents, and roughly one-third of them have already spent at least $50,000 to comply with the regulations. In terms of time spent, 44 percent of respondents said they have spent more than 100 hours on compliance efforts.
The survey also revealed that 30 percent of respondents work with 100 or more vendors. Goodwin Procter partner Brenda Sharton told Compliance Week that compliance for those will be especially complex because they must ensure that the vendors can protect the personal information as well.
However, as is the case with those who must comply with other compliance schemes, I'm sure the organizations to which these regs apply will find that the cost of compliance pales in comparison to what the cost of non-compliance would be -- both monetarily and in terms of company reputation.