The Massachusetts Office of Consumer Affairs and Business Regulation has announced revised identity theft regulations, weakening portions of the original regulations and delaying until January 1, 2010, the deadline for compliance by businesses. The compliance deadline originally was January 1, 2009, and already was delayed once until May 1, 2009. The state created strong data security and privacy regulations in order to protect its residents, and the delay and revisions are mistakes.
The announced revisions to the regulations weaken protections for consumers. Network Work reports:
As part of the revisions, state regulators also removed an especially contentious requirement mandating that companies get third parties with access to customer data to attest that they were compliant with the regulations as well. In addition, that provision also required third-party services providers to include language in their contracts specifying that they were willing and able to comply with the security rules.
Under the revised regulations, companies only have to take “reasonable steps” to verify that any third-party providers with access to personal data have the ability to protect the information through measures that are comparable to the ones spelled out by the [consumer affairs office].
You only need to read the consumer affairs office’s press release on the delay to see how necessary the strong regulations are: “Since November 2007, there have been over 450 reported cases of stolen or lost personal information that have affected nearly 700,000 Massachusetts residents.” Identity theft is a major problem nationwide. Privacy Rights Clearinghouse has a “Chronology of Data Breaches,” which shows that 252 million records have been exposed because of security breaches in the public and private sectors since January 2005.
As I discussed previously, the delayed Massachusetts regulations would require businesses that collect personal data from or about state residents to: adopt a comprehensive written security program, conduct internal and external security reviews and complete employee training. The regulations include minimum technical standards for computer systems that store or transmit state residents’ personal data: secure user ID protocols, secure access controls, data encryption, and monitoring of systems of unauthorized access or use.