Login/Logout About AIM Contact AIM Join AIM Press Room
Member CenterGovernment AffairsBusiness & Economic InformationManagement & HR ServicesTraining, Seminars & Events
Home Home Page

State to Hold Hearing On Effective Dates for Data Regulations

The Massachusetts Office of Consumer Affairs and Business Regulation will conduct a public hearing on January 16 to consider rules extending the dates by which employers must comply with the strictest data privacy laws in the nation.

The public hearing will take place at 2 p.m. on the second floor of the Transportation Building, 10 Park Plaza, Boston. State officials will hear testimony at the hearing about a move to extend the compliance date for some portions of the data privacy law from January 1 to May 1 and other portions to January 1, 2010.

Bradley MacDougall, Associate Vice President of Government Affairs for AIM, encouraged employers to read the regulations and contact AIM with suggestions for improvements. Mr. MacDougall said that while the hearing concerns only the extension of compliance deadlines, employers should take a hard look at whether they will reasonably be able to comply by the new May 1 or January 1, 2010 dates.

AIM will provide the Office of Consumer Affairs and Business Regulation with comprehensive testimony that will include member comments and suggestions. AIM testified recently on the data regulations before the Legislature’s Joint Committee on Consumer Affairs and Professional Licensure and urged lawmakers to follow national standards for protection of personal information.  During that testimony AIM made the following points:

  • The protection and active security of personal data is a priority for employers.  As currently written, AIM believes that 201 CMR 17.00 goes beyond the legislature’s intent through highly prescriptive mandates.  In many instances they are not technically or economically feasible.
  • AIM has taken several steps to notify and educate its members and the business community about the new regulations.  Still an overwhelming number of firms are completely unaware of these new regulations.  Even as of last week, many businesses stated that AIM’s communication to them on this topic was the first time that they had heard of these new regulations.  A greater public outreach effort by the administration is necessary.
  • These regulations go far beyond the legislative intent through highly prescriptive mandates that exceed existing regulatory frameworks and further do not envision the national and global business relationships that Massachusetts firms operate.
  • AIM and individual member companies have expressed these significant concerns, yet these questions go unanswered.  As a result, employers continue to struggle with the ambiguous regulations in relation to their unique business operation.  Regulated entities cannot readily determine what compliance is, which places a significant amount of unnecessary liability including 93A litigation which could be trebled.

The Massachusetts data-breach law affects all individuals and all employers including corporations, associations, partnerships, higher education and healthcare providers and may require significant operational and technological changes for those entities having custody of personal information, including employer records and customer data. Employers regulated by HIPPA and other federal standards would not be in full compliance.  Although the delay in the effective date is helpful, as a practical matter, it is unreasonable to believe that a regulated entity has a fair opportunity to reach full compliance. 

“We encourage employers concerned about this issue to attend the hearing and testify,” Mr. MacDougall said. “Employers should also contact their state representative and state senator to voice concerns.”

AIM and its members have expressed specific concerns about several elements of the regulations, including:

Third Party Vendors
      
Third party vendors located outside of Massachusetts will need to be educated on the regulation before they can take the necessary steps toward compliance themselves.  This process will take a considerable amount of time.  Compliance for most companies will be completely out of their hands until each of their vendors have had adequate time to change their own data security procedures.

Encryption

The requirement that entities must encrypt personal information that will travel across public networks will entail considerable time and money.  New systems could be encrypted in many situations at additional cost, but for systems purchased even just a few years ago it would be difficult, expensive and often impossible to add encryption capabilities retroactively.  This type of immediate investment presents an unfair burden to businesses.  Additionally, the definition of encryption in the regulation remains a concern for many in that it differs from the standard definition in many other states.
      
Inventory
      
For most companies, this process will take months if not years to complete.  Individual divisions within a company, consultants and auditors will need to work together to ensure compliance with this requirement.  This requirement alone will be very costly and time consuming.  One must also keep in mind that data stores and systems are continually growing and evolving from day to day.  The inventory would be dated the moment it is completed and would have to be continuously updated imposing significant additional costs on a perpetual basis.