New rules proposed by the Patrick administration to guard against the loss of personal and credit data drew fire yesterday from businesses that said many of the regulations would prove too costly to implement.
Daniel Crane, director of the state's Office of Consumer Affairs and Business Regulation, said the proposals were meant to keep companies abreast of growing threats from hackers yet still be flexible enough to avoid burdening businesses, in line with other state and federal rules. "We didn't attempt to be trailblazers," he said.
The administration is proposing the regulations to put into practice a law passed in the summer to protect consumer data in the wake of major breaches at companies such as TJX Cos. of Framingham, Fidelity Investments, and The Boston Globe. At TJX, parent of retail chains such as T.J. Maxx and Marshalls, up to 100 million credit and debit card accounts may have been compromised in the nation's largest data breach.
The rules would set standards for how businesses should protect personal information, requiring that they use a relatively strong level of encryption to protect files sent across public networks, and retain records of their employees' access to customers' electronic information.
Yesterday, some of the state's largest trade groups weighed in with strong objections, including the Retailers Association of Massachusetts, whose members include supermarkets and chain stores, and communications companies including Verizon Communications Inc., Comcast Corp., and AT&T Inc.
The trade groups argued the rules would have unintended consequences and prove costly, such as a requirement that companies keep an inventory of records of personal information and the hardware used to store them. One large retailer received a bid of $50,000 to establish such a system, said Jon B. Hurst, the president of the retailers trade group, a cost many small businesses couldn't support.
"Essentially, these requirements may discourage larger businesses from locating in Massachusetts or doing business with residents of Massachusetts, while putting the existence of small businesses in severe jeopardy," Hurst wrote in comments he submitted yesterday. (TJX is a member of his trade group.)
In another letter, the Investment Company Institute, which represents mutual fund firms such as Fidelity and Putnam investments, both of Boston, argued the regulations don't take into account privacy rules they already follow such as the Gramm-Leach-Bliley Act, and would require many funds based outside of Massachusetts to add complex systems to deal with local residents.
For many consumers, the biggest impact is that the new law will entitle them to halt distribution of their credit reports if their records are compromised, the same as in other states. Companies, meanwhile, can be fined if they lose records.
Not all of the feedback the state received was negative. An executive for CUNA Mutual Group of Wisconsin, which insurers credit unions against losses from fraud, noted in testimony that only 65 percent of large US merchants meet industry security standards, according to the latest count by the Visa payment network, and that it supports a proposed state provision that would require companies to create data-security programs.
Cynthia Larose, a partner at the Mintz, Levin law firm who specializes in privacy issues, said the rules provoked the strong reaction in areas where they were written with more detail than used in other states. But the same specifics pleased consumer advocates such as Eric Bourassa, a data expert for the Massachusetts Public Interest Research Group, which backed the original privacy bill.
He noted the Massachusetts rules would require companies to prevent terminated employees from accessing sensitive customer records, but don't specify exactly how they should do so. "It's not like they're saying companies should set up a retinal scan," Bourassa said.
Following a hearing on the rules yesterday, Crane, the business regulation director, said he will allow another two weeks for parties to submit comment and that the state will take them into account before it puts forward final rules, hopefully within the first half of the year.
Ross Kerber can be reached at kerber@globe.com.
