Tougher consumer data rule adopted
Businesses must improve safeguards
- |
In the wake of a series of alarming data breaches, placing hundreds of thousands of Massachusetts consumers at risk of identity theft, state regulators released new rules yesterday ordering businesses to better safeguard consumers' personal information.
The regulations, issued by the Massachusetts Office of Consumer Affairs and Business Regulation, require companies that handle personal information such as credit card accounts and Social Security numbers to encrypt data stored on laptops, monitor employee access to data, and take other steps to protect customer information, beginning Jan. 1. Governor Deval Patrick also signed an executive order requiring state agencies to take similar measures.
"This is necessary because of the growing concern among consumers about the large number of breaches of data containing their personal information," said Daniel Crane, undersecretary of Consumer Affairs and Business Regulation.
Framingham-based TJX Cos., which operates TJ Maxx and Marshalls stores, said last year that at least 45.7 million cards were exposed in a computer breach. In March, supermarket company Hannaford Bros. reported a breach, potentially exposing 4.2 million credit and debit card accounts to fraud. This month, mortgage company Countrywide Financial Corp. said more than 45,000 Bay State consumers could be affected by a security breach, and Bank of New York Mellon revealed that a data breach in May may have put at risk personal information from more than 400,000 Massachusetts residents, twice the original number reported.
Shortly after the TJX incident, Patrick signed sweeping legislation requiring companies to notify the state of future security breaches and ordering the consumer affairs agency to craft new regulations. Since then, companies have reported nearly 320 security breaches to the state, affecting more than 625,000 residents. Many involved stolen laptops and hard drives. In three of four cases, the data were not encrypted or protected by a password.
After business groups raised objections to an early draft of the rules, Crane said, the agency made several changes. For instance, he said the agency tweaked the definition of encryption and removed a requirement ordering companies to do an audit trail of where they keep personal data.
Still, Eric Bourassa, a consumer advocate for the Massachusetts Public Interest Research Group, said he is pleased with the final version.
"Those don't seem like major changes," Bourassa said, adding he is glad the rules cover both electronic and paper documents.
Jon B. Hurst, president of the Retailers Association of Massachusetts, said most large businesses are likely to already be in compliance with the rules. But, he said, small businesses may have trouble complying by Jan. 1, especially with the busy holiday shopping season approaching.
"I wish they had more lead time," Hurst said. "Perhaps six or 12 months would be better."
Some data are exempt. Specifically, the regulations only cover "personal information" - defined in the law as a resident's first and last name in combination with a Social Security number, driver's license number, or financial account number. The legal definition does not apply to Social Security numbers or credit card numbers alone.
The issue came up in the Hannaford breach, because Hannaford said it didn't store individuals' names - just their credit card numbers - making it unclear how the law applied.
However, David Murray, a lawyer for the consumer affairs agency, said the new rules could still expose companies to greater liability from civil lawsuits if they don't fully safeguard credit card numbers and other data not explicitly covered by the law, because lawyers could point to the requirements as an example of the minimum care companies must take to protect sensitive data.
The full regulations are online at www.mass.gov/oca.
Todd Wallack can be reached at twallack@globe.com.
