On September 22, 2009, Socheth Sor of Edwards Angell Palmer & Dodge LLP testified at a public hearing before the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) in Boston regarding 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth (the “Regulations”).  OCABR Undersecretary Barbara Anthony presided over the hearing with Assistant Attorney General Diane Lawton and OCABR Deputy General Counsel Jason Eagan.  David Murray, OCABR General Counsel, also attended.

Socheth asked the OCABR to clarify whether the March 1, 2012 deadline for third party service provider contracts was a typo or whether the OCABR intended to give businesses a two-year grace period to comply with this requirement.  She also asked the OCABR to clarify what encryption means, especially in the context of portable devices.  Socheth urged the OCABR to issue more practical guidance in the form of templates, checklists and frequently asked questions, and suggested the OCABR set up a mini-website and/or telephone hotline to respond to the public’s inquiries regarding compliance with the Regulations.

A number of other individuals also testified at the hearing.  Highlights of their testimonies include:

  • Daniel Foley spoke on behalf of the Massachusetts Association of Insurance Agents.  He asked the OCABR to deem companies already in compliance with similar federal information security rules to be in compliance with the Regulations.  He urged the OCABR to delete the third party service provider contractual requirement and suggested that simple verification of service providers’ compliance should be sufficient.  Mr. Foley also asked for a special exemption for insurance agents so that they are not required to enter into new agency agreements with insurance companies.  Lastly, he recommended that language regarding the risk-based approach used in the Frequently Asked Questions issued in August be expressly included in the revised Regulations.
  • John Murphy, a representative of the American Insurance Association, asked whether an insurance agent is considered a third party service provider.  If agents are considered third party service providers, insurance companies would then be required to undertake the expensive and time consuming task of renegotiating contracts with thousands of independent insurance agents.
  • Robert Kramer of the Computing Technology Industry Association asked the OCABR to clarify the meaning of “reasonable steps” as used in the context of selecting third party service providers.  Undersecretary Anthony noted that this language was lifted from the Safeguards Rule promulgated by the Federal Trade Commission under the Gramm-Leach-Bliley Act, and noted that the final rules will clarify any confusing language surrounding the third party service providers requirement.
  • Jon Hurst of the Retailers Association of Massachusetts asked that OCABR to make the Regulations applicable to government employers (a comment repeated by others).  He also suggested that the OCABR expand “technical feasibility” to include “financial feasibility” so companies are not obligated to adopt new and expensive technology immediately as it becomes available.
  • Tammi Salmon of the Investment Company Institute stated that the definition of “owns or licenses” should be deleted because, as currently written, the definition broadens the scope of applicability to include businesses that merely receive the personal information of Massachusetts residents.
  • Jack Daniels testified that as a concerned citizen he was disheartened by the weakening of the Regulations in the recent amendments.  He asked the OCABR to consider whether these Regulations, as written, would be enough to prevent the TJX breach.
  • Stuart Zimmerman also testified that as a concerned citizen he believes pushing back the effective date three times has caused the public to take the Regulations less seriously.

Undersecretary Anthony thanked each individual who testified and noted that the OCABR may still make additional amendments to the Regulations.  She did not discuss whether the OCABR will extend the effective date of the Regulations again.  Undersecretary Anthony acknowledged the requests for more practical guidance by indicating that the OCABR will definitely promulgate more guidance.

We will update this post when a transcript of the hearing is available.  Click here to read a previous post about the Massachusetts security regulations.

Click the Email the Editor link if you have any questions about the Massachusetts regulations, or if you would like to be added to the EAPD Privacy email distribution list.