Massachusetts IT Departments Shoulder Greater Security Burden

by dicenews Mar 3, 2010 2 min read

Whenever government mandates rules and regulations, if often puts companies under pressure to create more jobs. That could be the case in Massachusetts in the wake of new rules requiring businesses to protect personal digital data.

Boston The regulations mean Bay State IT departments will have to institutionalize specific processes to ensure Social Security, drivers licenses, credit card and debit numbers are protected, reports Quincy's Patriot Ledger. Some of the highlights:

Companies need to implement their own data security plans to protect customers' personal information.
One or more employees at a particular company need to be assigned to oversee these security programs.
Such security programs need to be regularly monitored, and the scope of the programs need to be reviewed at least annually or at any time when there's a major change in business practices.
All records containing personal data that are transmitted wirelessly or sent via public networks such as the Internet need to be encrypted. Personal data stored on laptops and other portable devices also need to be encrypted.
Third-party service providers also need to comply with the rules, although some leeway is provided until March 1, 2012, for contracts that were entered before Monday.

Companies are pushing back, but they may be swimming against the tide:

The Massachusetts law is breaking new ground in data protection requirements, just as the California state data breach notification law that was passed in 2003 did for state data breach notification laws. The effect of the Massachusetts law has already been seen, as other states such as Michigan are looking at passing similar tough data protection requirements for their state residents' personal information. CA-1386 was passed by California state legislators after a 2002 data breach affected thousands of state workers, including some of the legislators themselves.

Companies do have legitimate concerns here, as ComputerWorld points out:

One of the biggest concerns had to do with a provision - that has since been modified - requiring businesses to ensure that all third parties with access to personal information are also compliant with the Massachusetts law. The provision would have required companies to rewrite their vendor contracts and to take steps to ensure their service providers were compliant with the Massachusetts regulations.

The burden falls squarely on IT departments to make sure their companies don't face fines for non-compliance. The silver lining? More opportunities for those well-versed in security

-- Sonia R. Lelii

The regulations mean Bay State IT departments will have to institutionalize specific processes to ensure Social Security, drivers licenses, credit card and debit numbers are protected, reports Quincy's Patriot Ledger. Some of the highlights:

Companies need to implement their own data security plans to protect customers' personal information.
One or more employees at a particular company need to be assigned to oversee these security programs.
Such security programs need to be regularly monitored, and the scope of the programs need to be reviewed at least annually or at any time when there's a major change in business practices.
All records containing personal data that are transmitted wirelessly or sent via public networks such as the Internet need to be encrypted. Personal data stored on laptops and other portable devices also need to be encrypted.
Third-party service providers also need to comply with the rules, although some leeway is provided until March 1, 2012, for contracts that were entered before Monday.

Companies are pushing back, but they may be swimming against the tide:

The Massachusetts law is breaking new ground in data protection requirements, just as the California state data breach notification law that was passed in 2003 did for state data breach notification laws. The effect of the Massachusetts law has already been seen, as other states such as Michigan are looking at passing similar tough data protection requirements for their state residents' personal information. CA-1386 was passed by California state legislators after a 2002 data breach affected thousands of state workers, including some of the legislators themselves.

Companies do have legitimate concerns here, as ComputerWorld points out:

One of the biggest concerns had to do with a provision - that has since been modified - requiring businesses to ensure that all third parties with access to personal information are also compliant with the Massachusetts law. The provision would have required companies to rewrite their vendor contracts and to take steps to ensure their service providers were compliant with the Massachusetts regulations.

The burden falls squarely on IT departments to make sure their companies don't face fines for non-compliance. The silver lining? More opportunities for those well-versed in security

-- Sonia R. Lelii

Massachusetts IT Departments Shoulder Greater Security Burden

Massachusetts IT Departments Shoulder Greater Security Burden

Dice Staff