The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has amended its data security regulations. In a media release yesterday, the OCABR announced that the rules will facilitate a risk-based approach to data security, which is expected to help the small-business community, in particular. In creating written security programs, businesses will be able to take into account their size, industry type and identity-theft risk, among other characteristics. The OCABR also modified the regulations to make them technology neutral. The new effective date is March 1, 2010. A public hearing on the changes will take place Tuesday, September 22.
The government has long been under pressure to create a federal standard for data security. Existing laws such as the FCRA and GLB Safety Act have set out guidelines for businesses that include risk analysis, written policy definitions, and employee training. However, apart from the Red Flags Rules [sec.114 FACTA] to date nothing definitive has been issued that delineates specifically what each business must do and what criteria they must follow to safeguard PII. This new Mass. law promises to provide much of that language to guide businesses in that State. It is my belief that when enacted this new legislation will become a model for similar federal legislation.