Compliance Week TV

 In our first Compliance Week TV video we hear from Frank Diana, executive vice president of enherent Corporation, who discusses the challenges involved in information management.
Watch the video in full screen now

CPE Credits On Demand!

Subscribers can now earn FREE Continuing Professional Education (CPE) credits by watching Compliance Week Webcasts on critical topics related to corporate compliance and risk -- on demand, so at your convenience! For subscribers only.
Earn CPE for free now

Compliance Week Podcasts …

This week’s podcast features Lucy Marcus, CEO of Marcus Venture Consulting, talking about shareholder and director activism, and how corporate executives can work with them more effectively. Hear the podcast now or …

Follow Compliance Week podcasts on iTunes.

… and Compliance Week on Twitter!

You can also follow Compliance Week Editor Matt Kelly on Twitter, for the latest regulatory observations and updates. More than 2,600 followers and ranked the most influential Twitter feed on compliance!

Compliance Week LinkedIn Group

 Visit the Compliance Week has a companion group on LinkedIn, where members can network and discuss the compliance and governance news of the day among themselves. Open to all, free to join.

Webcasts of the Week

 Defining and Executing Systematic, Risk-Based Third-Party Due Diligence for FCPA Compliance
Sponsored by The Steele Foundation

Help Wanted: Ad of the Week

 Compliance Education & Communications Mgr.
Submitted by Oracle

Event of the Week

 Corporate Governance Programs
Courtesy of Harvard Business School

Thought Leadership of the Week

Access Management: Efficiency, Confidence, Control
Courtesy of SAP

The Resource Exchange

Code of Conduct
Submitted by BP

Sample Risk Acceptance Request
Submitted by Circuit City

Featured Databases

Whistleblower Guidelines
Search Whistleblower Policies, Contract Options

Class-Action Filings
Download Text of Class-Action Complaints

GRC Illustrated Series

 Improving GRC by Visualizing Your Data
The 24th Installment in This Exclusive Series

The Filing Cabinet

 RSS
“The Filing Cabinet” is written by Melissa Klein Aguilar, a long-time business journalist who first began writing for Compliance Week in 2005. She closely follows all issues related to SEC registrants, Sarbanes-Oxley compliance, evolving securities rules, and executive compensation, among other areas. She welcomes questions, comments and statements from readers on SEC filing matters, and where appropriate she will try to address them here. She can be reached via email at Melissa@complianceweek.com.

 

September 24, 2009

Complying With Mass. Data Security Regs Proves Costly

For those organizations already tackling the task of complying with a new Massachusetts data security regulations that are currently slated to take effect March 1, compliance is proving costly, a recent survey shows.

The rules, which are slated to take effect on March 1, 2010, impose significant data security requirements on any entities possessing personal information of Massachusetts state residents, including those based outside of Massachusetts.

A joint survey of more than 200 members of the International Association of Privacy Professionals conducted by the IAPP and the law firm Goodwin Procter found that 33 percent of the organizations polled have already spent more than $50,000 on complying with the rules.

Another 12 percent spent $10,000-50,000 on compliance, according to results of the survey, which was conducted in August.

Additionally, 44 percent of the organizations responding have spent more than 100 hours on compliance, while 17 percent said they’ve spent 40 to 100 hours complying with the rules.

Sharton“The numbers show compliance is fairly onerous in terms of time and expense, and companies might have more to do,” says Brenda Sharton, a partner at Goodwin Procter.

That’s because there could be further changes to the rules prior to the March 1 effective date. As previously reported, the Massachusetts Office of Consumer Affairs and Business Regulations proposed significant amendments to the rules in mid-August and indicated that it could make more changes when it issues final rules.

Among those surveyed, 76 percent said they maintain personal information on Massachusetts residents.

Sharton says the biggest pain point is the requirement for organizations to take “reasonable steps” to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal information in accordance with the regulations.

Further complicating that challenge is the fact that many companies deal with dozens of vendors. Among those polled, 60 percent reported that they have more than 10 vendors with access to personal information and 30 percent have more than 100 vendors with access to personal information.

Meanwhile, 60 percent of the organizations responding to the survey said they expect compliance efforts to be complete by March 1, 2010, and another 29 percent expect compliance efforts to be “probably” complete.

However, Sharton notes that the respondents are a self-selected group that might not necessarily be broadly representative.

“Based on the survey results, it looks like those who are aware of the rules are on the road to compliance,” says Sharton. “Where rubber will hit the road is at companies that aren’t aware that the rules apply to them yet.

As with any new law, Sharton says there’s still “plenty of confusion and uncertainty.”

“The number one question we get is, ‘Does this apply to us?’” she says.

The complete survey results are available here.

Posted by: maguilar @ 5:25 pm

Filed under: Information Security

2 »

  1. It is unethical and frankly poor practice that they were not protecting the data in the first place. As a security professional the amazing amount of data theft which requires no effort or real computer skills on the part of thieves is amazing, it is the same as not locking the door and putting out a sign saying lots of money inside. If the companies had been following recommend best practices for security of personal data from day one - the cost of complying with regulations would be small, the cost is high because they were not protecting the data in the first place. Personally, I find that kind of corporate behavior criminal, practically to the level of accessory to a crime, since without their neglect, identify fraud would be a minor rare crime, not the annual multi-million dollar crime spree that it is – a crime spree caused by corporate neglect of reasonable security practices and lack of control.

    Comment by Helen Umberger — September 29, 2009 @ 12:07 pm

  2. With each state passing its own laws on data protection - is going to lead to a hopelessly complex and costly situation as companies struggle to maintain different policies and procedures to comply with differing regulations. There should be a Federal law on data protection that should satisfy most states requirements. Imagine if each state implemented its own SOx regulations and companies had to comply with each one and submit to multiple audits - all checking for mostly the same thing - this is what the data protection scenario is going to be in US.

    Comment by Ragu — October 2, 2009 @ 1:13 am

RSS feed for comments on this post. TrackBack URL

Leave a comment