A new Massachusetts law scheduled to take effect in May has been extended to Jan. 1, 2010, giving businesses more...
time to address and deploy technologies that tighten control of consumer data.
The law requires any firm conducting business with state residents to deploy encryption and protect against data leakage. A combination of a person's name along with their Social Security number, bank account number or credit card number must be encrypted when stored on portable devices, or transmitted wirelessly on public networks, according to the new law.
Encryption of personal information on portable devices carrying identity data like laptops, PDAs and flash drives must also be completed by Jan. 1, according to the Massachusetts Office of Consumer Affairs and Business Regulation, which announced the extension Thursday.
"We understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections," Daniel C. Crane, the Undersecretary of the Office of Consumer Affairs and Business Regulation said in a statement.
The extension included a revision to the rules relaxing a requirement holding third-parties accountable to the security rules. Under the original law companies had to attest that a third party provider was compliant with the regulations.
Massachusetts has been ground zero for one of the most significant data security breaches in history. In 2007, TJX Cos., based in Framingham, Mass., announced a data breach in which hackers exposed at least 45.7 million credit and debit card holders to identity fraud. TJX has since settled a number of lawsuits and agreed to implement tighter security and obtain independent audits every other year for 20 years, according to a settlement reached with the Federal Trade Commission. Since then, lawmakers have been trying to find ways to force businesses to implement tighter security controls.
The regulations in Massachusetts and similar rules in Nevada are the first of their kind in the country, and experts say could be even more substantial than the data breach notification laws in which California was the first to enact. In October, California Gov. Arnold Schwarzenegger vetoed a bill that would have proposed rules that prohibited sensitive consumer data being stored at all after a purchase is authorized. At the time, Schwarzenegger called the proposed law more demanding than the current Payment Card Industry Data Security Standard (PCI DSS) and said it would have been too costly to businesses.
The economy has played a role in slowing investments in new security measures, said Khalid Kark, a senior analyst at Forrester Research. Many organizations are moving toward outsourced services and new projects are being done at a slower pace.
"Companies are paying higher prices but they're having the ability to change course when necessary," Kark said.
Ed Moyle, a manager with CTG's Information Security Solutions practice and a founding partner of Security Curve said many businesses may have been blindsided by the rules, which extend to any business that collects data on Massachusetts residents. A heavy investment in technical controls would have been burdensome by the original May 1 deadline, Moyle said.
"Folks in Massachusetts were pretty well versed on it but a lot of other firms outside the state were caught a little bit by surprise," Moyle said. "The law hits them right in the center of their sweet spot."
Moyle said organizations should implement the mandates across the board nationwide as the path of least resistance. He called the breach disclosure laws useful, since they protect the consumer, but they were reactive. The laws have been helpful to shed light on the data leakage problem, but have done little to protect against it.
"Proactive measures protect the data ahead of some kind of breach and that's what these new rules set out to do," Moyle said.
Dig Deeper on Disk and file encryption tools