Massachusetts Extends Data Protection Deadline

Ralph DeFrangesco

The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has once again extended the deadline for businesses to be compliant to its standard (201 CMR 17.00) on how they are to protect personal consumer data. The standard was to go into effect in January, but because of the economic conditions that financial organizations are facing, the OCABR has decided to extend the deadline to May 1, 2009.


Any business that collects personal information, and their service providers, must comply with the new standard. Businesses have the extension to sign new contracts with their service providers, and then have until Jan. 1, 2010, to certify that their third-party providers are compliant. This regulation affects businesses that have clients in Massachusetts even if the business itself does not have an office in the state. The standard is very specific in that it covers encrypting data transmitted over wireless, using current firewall protection, data access protection, and devices that can store data in transit such as BlackBerries, laptops and flash drives. The date to make sure that data is encrypted on these devices has been extended to the May 1, 2009, deadline as well.


Current regulations require that businesses notify customers when there is a theft of their personal data. The Massachusetts standards are all-encompassing and go well beyond any other state, or the federal government, in regards to protecting consumers' personal data. The OCABR will take the size and type of company into account when determining if a business is in compliance with the regulation.


I think that Massachusetts is taking an unprecedented step in trying to protect our personal data. In December, I wrote a post that identified a few bills that Congress is working on to protect consumer data. Let's hope that other states work to pass similar regulations.

Add Comment      Leave a comment on this blog post
Jan 23, 2009 11:08 AM Mike Pilaitis Mike Pilaitis  says:
I applaud the steps that Massachusetts is taking in protecting personal information. To me though, this addresses a symptom and not the root problem. In Europe, the privacy laws make the supposition that personal information belongs to the individual, and companies need permission to collect and maintain personal data. Sort of an opt in approach. In the US, personal data is assumed to be owned by the company that collects it. If an individual does not want their information collected, they have to contact each company that owns it, an opt out approach. This has lead to many companies keeping and storing as much personal information as possible, to help build or maintain a competitive advantage. This vast amount of information being stored, without a comprehensive set of standards or best practices has lead us to where we are now, with ahodge podge of federal and state regulations dealing with the management of this information. This patchwork of regulations can lead to excessive complexity and cost. I see the solution as a two pronged approach. First we should adopt the European model. Personal data should be owned by the individual, and considered private by default. Companies then need to ask to keep and track need to request permission. By limiting where the data is, the job of securing it is greatly simplified. The second approach I would like to see is a set of standards that are adopted nationally specifically dealing with the protection of personal data. I am envisioning a model similar to the Accounting Best Practices. Mike Pilaitis Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.