After several fits and starts, a new state law concerning data-security breaches in Massachusetts is going to go into effect March 1 with some pretty harsh penalties.
Known as the 201 CMR 17:00: Standards for the Protection of Personal Information of the Residents of the Commonwealth, this regulation applies to any company doing business in Massachusetts, including anyone who sells anything over the Web to a resident of Massachusetts, regardless of where the company is located or incorporated.
Odds are good that this regulation will be challenged in court. The wording is pretty vague about what "reasonable precautions" companies are expected to have in place in the way of data governance strategy. If, for instance, a company loses Social Security numbers on a set of tapes that were stolen from the back seat of a locked car, you could argue both ways whether that was carelessness or just bad luck.
As privacy and security issues related to data governance continue to gain prominence, Todd Chambers, chief marketing officer of Courion, which specializes in access-management controls, says IT organizations must finally come to grips with data governance policies in a way that reflects best industry practices just so they can demonstrate in court that they took reasonable precautions.
That might result in some new expenses, but that may be whole lot more preferable to leaving the interpretation of reasonable precautions up to the courts, because it's anybody's guess how that might turn out.