Login/Logout About AIM Contact AIM Join AIM Press Room
Member CenterGovernment AffairsBusiness & Economic InformationManagement & HR ServicesTraining, Seminars & Events
Home Home Page

Business Asks Governor to Delay Data-Breach Regulations

October 23, 2008

The Honorable Deval L. Patrick
State House, Room 360
Boston, MA 02133

Re: 201 CMR 17.00, Standards for the Protection of Personal Information of  Residents of the Commonwealth

Dear Governor Patrick:

We write on behalf of a very broad range of businesses and industries that serve Massachusetts residents to express our deep concerns regarding many of the requirements of 201 CMR 17.00.  We urge you to delay the effective date of this regulation as it will be impossible for nearly all entities holding the personal information of a Massachusetts resident to become compliant in such a short time frame.

Many of the requirements in 201 CMR 17.00 are unprecedented.  The regulation goes far beyond identity theft laws in other states.  Companies need more than a couple of months just to obtain a full understanding of what they must do to comply with the regulation.  During these tough economic times, companies simply will not be able to commit the necessary financial resources to comply between now and January 1, 2009. 

While we would like to see an extension on the entire regulation, there are three particular requirements that cannot be satisfied by any company, regardless of size and available resources, prior to the effective date.  For those provisions, we seek at least a one year delay in the regulations.

Encryption

The requirement that entities must encrypt personal information that will travel across public networks will entail considerable time and money.  New systems could be encrypted in many situations at additional cost, but for systems purchased even just a few years ago it would be difficult, expensive and often impossible to add encryption capabilities retroactively.  This type of immediate investment presents an unfair burden to businesses.  Additionally, the definition of encryption in the regulation remains a concern for many in that it differs from the standard definition in many other states.   Encryption should be delayed for at least a year and required only on a going forward basis for any new investment, upgrade and or equipment purchase.  
      
Inventory
      
For most companies, this process will take months if not years to complete.  Individual divisions within a company, consultants and auditors will need to work together to ensure compliance with this requirement.  This requirement alone will be very costly and time consuming.  One must also keep in mind that data stores and systems are continually growing and evolving from day to day.  The inventory would be dated the moment it is completed and would have to be continuously updated imposing significant additional costs on a perpetual basis.  We ask for an extension of at least twelve months for this requirement.
      
Third Party Vendors
      
While it will be impossible for companies located in Massachusetts that are aware of this regulation to be compliant by January, 1, 2009, third party vendors located outside of Massachusetts will need to be educated on the regulation before they can take the necessary steps toward compliance themselves.  This process will take a considerable amount of time.  Compliance for most companies will be completely out of their hands until each of their vendors have had adequate time to change their own data security procedures.  We ask that this requirement be delayed at least until January 1, 2011.

 These are but a few of the concerns the signatories to this letter share.  Each industry will be differently impacted by the Standards and each stands ready to provide more specific information regarding the Standards impact on their particular business or members.  Collectively, we urge you to consider the time and financial resources that must be allocated to demonstrate compliance with this unprecedented regulation in such a short time frame. Thank you for considering our views. 

Retailers Association of Massachusetts
Associated Industries of Massachusetts
Massachusetts Food Association
Comcast
Massachusetts Association of Insurance Agents
Microsoft
Massachusetts Association of Health Underwriters
Massachusetts Insurance Federation
Massachusetts Mortgage Bankers Association
Verizon
Life Insurance Association of Massachusetts
Association of Independent Colleges and Universities of Massachusetts
Investment Company Institute
Massachusetts Hospital Association
National Federal of Independent Businesses
AeA
Consumer Data Industry Association
Massachusetts Society of Certified Public Accounts, Inc.
Massachusetts Bankers Association
Reed Elsevier
Property Casualty Insurers Association of America
Massachusetts Biotechnology Council
South Shore Chamber of Commerce
T-Mobile
American Insurance Association
Massachusetts Package Store Association
Securities Industry and Financial Markets Association
Greater Boston Chamber of Commerce
Massachusetts Business Roundtable
Massachusetts Technology Leadership Council
First Data Corporation
New England Financial Services Association
AT&T