Bingham McCuthen LLP put together a panel presentation on the Complying with Massachusetts New Data Security Regulations.
Mark Robinson, a partner at Bingham, started with an introduction of the law and panel. He called the law “perilous.”
Beth Boland, a partner at Bingham, went through the requirements of the new law. OCBR and the business community seem to be at a disconnect over the law. OCBR thinks that they are not a big deal. They cite a statistic that there were over 318 reported breaches that affects more than 500 Massachusetts residents during a 10 month period when they were considering the law. [See Report of M.G.L. Chapter 93h Notifications (.pdf)]
Beth highlighted the limitation that data should only be collected that is “reasonable necessary to accomplish the legitimate purpose for which it is collected” 201 CMR §17.03(g) is unique to Massachusetts.
Beth highlights one of the pitfalls being the cascading certifications. First, there is no standard for certification. She expects there will be some battle over acceptable forms. Second, you need to folow the certification process all the way down the chain of custody to your providers, the sub-providers, the sub-sub providers, etc.
Beth highlighted that May 1, 2009 is deadline for getting contractual agreement that service providers will comply and January 1, 2010 is the deadline for getting a compliance certification.
Doug Schwarz, a partner at Bingham, pointed out that in some organizations, the requirements will mostly affect Human resources and that HR may end up driving the process instead of IT.