Complying With Mass. Data Security Regs Proves Costly

Melissa Aguilar

September 24, 2009

Print
Email
Reprint
Text: A | A | A

More The Filing Cabinet

RELATED TOPICS

Information Security

For those organizations already tackling the task of complying with a new Massachusetts data security regulations that are currently slated to take effect March 1, compliance is proving costly, a recent survey shows.

The rules, which are slated to take effect on March 1, 2010, impose significant data security requirements on any entities possessing personal information of Massachusetts state residents, including those based outside of Massachusetts.

A joint survey of more than 200 members of the International Association of Privacy Professionals conducted by the IAPP and the law firm Goodwin Procter found that 33 percent of the organizations polled have already spent more than $50,000 on complying with the rules.

Another 12 percent spent $10,000-50,000 on compliance, according to results of the survey, which was conducted in August.

Additionally, 44 percent of the organizations responding have spent more than 100 hours on compliance, while 17 percent said they've spent 40 to 100 hours complying with the rules.

Sharton

"The numbers show compliance is fairly onerous in terms of time and expense, and companies might have more to do," says Brenda Sharton, a partner at Goodwin Procter.

That's because there could be further changes to the rules prior to the March 1 effective date. As previously reported, the Massachusetts Office of Consumer Affairs and Business Regulations proposed significant amendments to the rules in mid-August and indicated that it could make more changes when it issues final rules.

Among those surveyed, 76 percent said they maintain personal information on Massachusetts residents.

Sharton says the biggest pain point is the requirement for organizations to take "reasonable steps" to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal information in accordance with the regulations.

Further complicating that challenge is the fact that many companies deal with dozens of vendors. Among those polled, 60 percent reported that they have more than 10 vendors with access to personal information and 30 percent have more than 100 vendors with access to personal information.

Meanwhile, 60 percent of the organizations responding to the survey said they expect compliance efforts to be complete by March 1, 2010, and another 29 percent expect compliance efforts to be "probably" complete.

However, Sharton notes that the respondents are a self-selected group that might not necessarily be broadly representative.

"Based on the survey results, it looks like those who are aware of the rules are on the road to compliance," says Sharton. "Where rubber will hit the road is at companies that aren't aware that the rules apply to them yet.

As with any new law, Sharton says there's still "plenty of confusion and uncertainty."

"The number one question we get is, ‘Does this apply to us?'" she says.

The complete survey results are available here.

Compliance Week Podcasts ...

Every week we chat with leading thinkers in compliance, auditing, risk management, public policy and more. These short (10-15 minutes) interviews are free to all. Follow Compliance Week podcasts on iTunes.

Compliance Week LinkedIn Group

Compliance Week now has a companion group on LinkedIn, where members can network and discuss the compliance and governance news of the day. Open to all compliance professionals, free to join.

Survey of the Week

Deloitte is conducting their annual Look Before You Leap: Managing Risks in Global Investments survey to better understand the approaches companies are taking to address compliance and integrity-related risks in emerging markets.