Massachusetts Revises Identity Theft Regulations to Accommodate Small BusinessPDF
In a previous Alert, we had described a new Massachusetts law that was raising concerns within the business community because of an apparently far-reaching requirement that all personal information stored on portable devices (including laptops) be encrypted. The effective date of the law had already been delayed, awaiting clarifying regulations. The Massachusetts Office of Consumer and Business Regulation has now published a significantly revised version of its long-delayed “Standards for the Protection of Personal Information of Residents of the Commonwealth” (201 CMR 17.00). The law is now scheduled to take effect on August 1, 2010.
In an obvious reaction to the current economic and political climate, the new regulations reflect a “commitment to balancing consumer protection with the needs of small business owners.” FAQs just issued by the Office of Consumer Affairs emphasize the shift from mandatory, one-size-fits-all regulation to a “risk-based approach that takes into account the particular business’ size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security.” Encryption is now required only when it is “reasonable” under the circumstances and the required encryption technology is reasonably available.
The watering-down of the Massachusetts encryption requirement may provide useful information about the likely nature of future privacy regulation in general. Over the last few years, the Federal Trade Commission has taken the lead in this area in gradually developing a nationwide requirement that personally identifiable data be protected at a reasonable level, but has avoided rigid requirements and relied heavily on determining what level of protection would be reasonable under the applicable circumstances. Many observers thought that the Massachusetts law, together with a 2008 Nevada law that requires the encryption of electronically transmitted personal information, signaled a different and more rigid approach at the state level that could soon become the national standard, particularly since Massachusetts has long been a trend-setter among the states in pursuing consumer rights and its official rhetoric on privacy in particular has been among the most strident in the country. The new Massachusetts regulations are more consistent with the existing FTC approach and the shift to a rule-of-reason, small-business-friendly approach to protecting personal information seems to reflect a reluctance to impose additional burdens on business in the current economic environment. At least in the short term, the feared proliferation of rigid state laws now seems unlikely.