Jim O’Sullivan/State House News Service writes at Wicked Local Arlington that, after employers called an earlier round of regulations aimed at preventing identity theft too harsh, the Patrick administration on Monday released a rewritten set of data protection rules that earned markedly better reviews from business groups.
The regulations, set to take effect next March, instruct businesses to author security plans on how to protect private data and allow for more flexibility among small businesses, advocates said.
Shifting from an earlier draft released in February, the new version permits a “risk-based approach” based on a company’s size, resources, nature of data, and other factors, rather than mandating every component regardless of specifics.
Municipalities are expressly exempted from the regulations, as are many portable devices from encryption requirements.
“I think it’s a significant improvement, particularly for small businesses,” said Jon Hurst, president of the Retailers Association of Massachusetts.
Hurst said that “the fundamental concerns remain” with technological implementation and questioned why Beacon Hill would impose ID theft prevention rules on businesses while excluding government agencies.
“If government can’t comply with it, how can we expect employers to comply with it?” Hurst asked.
Since the ID theft law passed in 2007, employers have fought against what they called overly burdensome measures. The regulations published Monday appeared to appease many of their concerns.
In a press release, consumer affairs and business regulations undersecretary Barbara Anthony said, “In listening to the concerns of small business leaders, we understand there were issues regarding the impact these regulations have on those companies. These updated regulations feature a fair balance between consumer protections and business realities.”
Business groups complained about earlier compliance deadlines and said many of the requirements of the anti-ID theft law would likely prove too onerous. They were quick Monday to offer praise for the softened regulations.
“They have really done a great job in terms of engaging the business community to discuss this and try to find a balanced approach toward doing what we all want to do,” Brad MacDougall, associate vice president for government affairs at the Associated Industries of Massachusetts, said of Patrick administration officials.
The regulations hinge on “technical feasibility,” defined in a summary as “reasonable means through technology to accomplish a required result.” Blanket computer security provisions apply where technically feasible, as do encryption requirements for portable devices.
The administration pointed out in its summary that scant encryption technology exists for cell phones, BlackBerries, net books, iPhones and similar devices, while the technology is available for laptops.
The rules permit smaller businesses to take more modest protection steps. The summary says that small businesses that house only employee data can lock files in a storage cabinet and lock the door to that room. Customer and employee information, though, would require more aggressive protection.