Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
Massachusetts Data Privacy Law Delayed, Again
We predicted this eventuality here, in this blog, 6 months ago. The MA Data Privacy law, touted by some as the most far reaching in the nation, is too unwieldy for small businesses to follow. However, the law is getting watered down a bit, making it more palatable for small businesses.
2 Min Read
We predicted this eventuality here, in this blog, 6 months ago. The MA Data Privacy law, touted by some as the most far reaching in the nation, is too unwieldy for small businesses to follow. However, the law is getting watered down a bit, making it more palatable for small businesses.So let's suppose you run a small business, say less than 25 employees. Do you even have a formal IT department? Perhaps you do, but most likely you've outsourced your IT operations, and you only call them in an emergency because making payroll is stressful enough. Now imagine having to comply with a data security regulation that was originally conceived of as a result of TJX, a company with millions of customers containing millions of records of personally identifiable information within their data centers.
The question is, should your business be held to the same data security regulation that TJX should? Thankfully, along with this second delay in the implementation of the new MS Data Privacy law, the original legislation has been amended to take a more "risk based" approach. What does that actually mean? Well, from what I can tell, the judiciary will have plenty wiggle room when assessing your ability to comply with the wide range of requirements written into the legislation.
The new version of the law (201 CMR 17.00) seems more palatable for small business. Much of what is in the presently proposed legislation should already be happening, even within small shops. Things like implementing password policy, auditing permissions to data that contains PII, ensuring virus and malware software is up to date, disabling the accounts of terminated employees, etc.. Those are tasks that clearly should not introduce additional burden on small businesses. The requirement to encryption PII can get tricky for small businesses, but few will argue about the merits of forcing this requirement.
The state of MA will be holding a public debate on the bill on 9/22 in Boston. It should be an interesting spectacle. Perhaps this hearing will devolve into a health care like shouting match between big business and the legislature. I plan on going, stay tuned for more.
About the Author
You May Also Like
More Insights
