Final Phase of Massachusetts Privacy Law Takes Effect March 2012

The final phase of the Massachusetts “Standards for the Protection of Personal Information of Residents of the Commonwealth” is slated to go into effect March 1, 2012, ending almost three years of controversy and business opposition to the legislation.

The stated purpose of the bill is to set minimum standards of protection for businesses that collect and store personal information.

“The objectives of this regulation," according to the bill, "are to ensure the security and confidentiality of customer information in a manner fully consistent with industry standards … and to protect against unauthorized access to or use of such information …”

The bill also requires that any data either sent over a public network or stored within a mobile device, “laptops or other portable devices” must be encrypted. The phrase used in the legislation, “or other portable devices,” covers a great deal of ground including smart phones, PDAs, tablets, memory sticks and, I suppose, Nintendo Game Boys and other gaming devices.

The opposition to the bill comes from a provision that requires the primary business collecting and storing data also must ensure all of its suppliers, contractors and technology owners also comply with the same standards.

As originally set out, the bill would have required companies to rewrite their contracts with service suppliers to ensure the suppliers were living up to the same data protection required of the principal holders of customers' personal information. However, this was later modified and now requires the principal company to ensure it takes “reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information.”

The bill also mandates that as new contracts are written with third-party service providers, those contracts must state the suppliers will install and maintain “appropriate security measures for personal information" as the principal owner of the cusotmer data.

In addition, if the contract was signed before the March 1, 2012, implementation date but after the original date of March 1, 2010, those suppliers must maintain the same security measures even if it is not in the contract.

Last year, Computerworld reported that Massachusetts trade associations and major business associations within the state were lining up in opposition to the measure.

“A coalition of 70 organizations, including the Retailers Association of Massachusetts, the Massachusetts Bankers Association, the Greater Boston Chamber of Commerce” and others companies that included Wal-Mart, Microsoft, Target and Google asked the legislature to reconsider the bill saying, among other things, it would be detrimental to business especially in a recessionary climate where budgets were tightening.

The modification of the bill requiring only a good-faith promise on the part of third-party suppliers to do likewise appears to have mollified the opposition.