Businesses Look to Restart Data Security Rule Process

By Michael P. Norton
STATE HOUSE NEWS SERVICE
STATE HOUSE, BOSTON, JAN. 15, 2009 - A coalition featuring some of the biggest businesses in the nation called on the Patrick administration Thursday to again delay implementation of regulations to protect against identity theft, saying the pending rules are unworkable and will hurt job creation.

In a letter to Patrick administration officials and legislative leaders dated Thursday, business groups and employers ask the administration to convene stakeholders and reissue by May 1 a new set of regulations with a two-year period recommended for implementation of those rules.

Regulations currently on the table go beyond the intent of the state’s identity theft law and “set a perilous course for already strained individuals, families, businesses and state agencies that depend upon the success and growth of the Massachusetts economy,” the business groups wrote in their Jan. 15 letter.

The letter was signed by groups like the Mass. Business Roundtable, the Mass. Package Store Association and the Mass. Hospital Associations and companies like Google, Comcast, CitiGroup, AOL, Microsoft, The Gap, Verizon and Walmart.

The rules, which are up for a public hearing on Friday, are “not technically or economically feasible” and “do not envision the national and global business relationships that Massachusetts firms depend on,” the coalition said.

Businesses are encouraging state officials to look at New Jersey’s effort to implement data security laws, noting the process there allows for two years to promulgate regulations.

In addition to addressing encryption requirements and rules that businesses believe are duplicative, confusing and unnecessary, the business groups also say public agencies should be held to the same standards as private sector companies or else the purpose of the law is “frustrated and rendered meaningless.”

At 2 pm Friday, the state Office of Consumer Affairs and Business Regulation holds a public hearing on regulatory amendments extending a pair of data security law compliance dates until May 1, 2009 and Jan. 1, 2010. The state last year extended previous deadlines.

In a statement emailed by a spokeswoman, office director Dan Crane said, “We will give full consideration to the testimony at tomorrow’s hearing and any and all written comment we receive before coming to a decision that strikes the right balance between protecting consumers’ personal information and not overburdening business.”

Supporters of the identity theft law argued prior to its passage that Massachusetts residents were more vulnerable to theft because the state lacked strong consumer protection law that many other states have already adopted and implemented.

John Moynihan, who left the Department of Revenue in 2007 after a 24-year career, including a long stint as deputy commissioner and internal control officer, noted the law was approved in July 2007 and contains key information security program, compliance monitoring and employee awareness mandates.

“It’s a good law. It’s forward-thinking. It’s timely. People should just start moving toward implementing the requirements,” said Moynihan, president of Minuteman Governance, a Hopkinton-based information security consulting firm. While hacking cases attract media attention, “the biggest risk to data is from employees and contractors, people within the organization,” said Moynihan.

While acknowledging that startup compliance costs could range between $30,000 and $50,000, Moynihan, noting companies are willing to invest in items like surveillance to protect property, said they should also take steps to protect their customers.“They find the money when it’s to protect their assets and their resources,” he said.

01/15/2009
Serving the Working Press Since 1910
www.statehousenews.com