Looks like the concerns of small business as well as the legal and security community over scope and enforceability of 201 CMR 17 has been heard from at the State House in Boston. State Senate Chairman Michael Morrissey presented a draft of new Massachusetts Senate Bill 173 (SB 173) at a hearing on Tuesday, May 12, 2009, stating that the proposed data protection regulation “went beyond the intent” of the legislature.
Mr. Morrissey’s new bill will propose revisions to encryption requirements and the jurisdiction of the regulations beyond the Massachusetts state borders. If passed, these revisions would result in some fairly significant changes to (201 CMR 17), that was established by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) for the protection of personal information and set to go into effect on January 1, 2010.
From what we have seen SB 173 is a legislative response that would basically change 93H and would limit the scope of what the Office of Consumer Affairs and Business Regulation can require as part of their mandate in the previous legislation “shall adopt regulation relative to any person that owns or licenses personal information.”
This proposed legislation obviously impacts many small businesses and we will have to see what specific limitations will be placed on OCABR authority to regulate the collection, use, distribution, storage, trasnporting and destruction of personal information as has been set forth in 201 CMR 17.
Small Business Compliance Solutions has developed a comprehensive package of guidelines, templates and critical information that will enable your business to comply with these new regulations and we will be updating our community of toolkit owners regarding changes in the regulations. The MA 201.CMR.17 Small Business Compliance Toolkit will guide any small business through the process of evaluating their personal information security policies and establishing effective procedures, guidelines and documentation to comply with the new law.
For more information visit Small Business Compliance Solutions at http://www.BizComplianceSolutions.com
{ 1 comment… read it below or add one }
It is upsetting to see that the first cutting edge law in the nation, will eventually be; shot, gutted, and hung out to dry. All of the provisions of 201 CMR 17, are attainable for all businesses regardless of size. The technology is there, the means to achieve it is there, the desire to achieve it is not!
The cost’s of achieving compliance for each business is far less than the $60 billion dollars that was lost in 2008, to identity thieves. Identity theft cost each working age American approximately $360 in higher prices and fee’s last year, which was passed on to them by the businesses that lost their information in the first place!
Setting separate rules for larger businesses then smaller businesses is also an improper practice. I routinely visit small businesses at night and find cancelled employee and consumer checks, loan applications, credit card receipts laying in the trash can for anyone to remove. When I confront the businesses owners they tell me they were unaware of the laws or that they couldn’t just toss them away!
Owning a business is the United States is “NOT” a right, it’s a privilege. With that privilege, comes the responsibility to protect the information they receive from consumers and employees regardless of size!
As you can see I get really worked up when it comes to the subject of identity theft. During my career in law enforcement, I investigated many identity theft cases. After retiring, I started a document destruction business to help prevent these crimes in my own little way. Imagine how shocked I was when I was find out I became a victim of identity theft because a security firm I once moonlighted for went out of business and discarded my information in the trash! Then, more recently; I became a victim of credit card fraud (can you say Heartland!). I am still feeling the effects of both incidents.
You see, It really doesn’t matter to me if my information was stolen from a small or large business. What matters is that it was allowed to be stolen at all!
After the first incident I went on a quest to help businesses protect consumer information and Massachusetts finally provided the right tools to do it.
I thought Massachusetts would be the first state to fix this problem and all other states would follow suit putting an end to identity theft, I guess I was wrong.