If not for a reprieve granted in mid-November by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR), most businesses in the Bay State would be spending these last two weeks before the New Year rushing to meet state mandates requiring the encryption of personal data about Massachusetts residents stored on laptops or transmitted across public networks. But while businesses now have until May 1—rather than the original January 1 deadline—to comply with the new regulations, which are designed to combat a recent epidemic of corporate data breaches and identity theft in the state, the burden on companies to protect personal data hasn’t gotten any lighter. Local companies, including Web-based businesses that collect information about their users, need to start thinking now about how they’ll comply with the new standards, or face increased liability later, say local security industry leaders.
“The Massachusetts regulation is extremely broad in scope and potentially covers every business of every size, even mom-and-pop joints that do credit-card transactions or just write someone’s name and account number in their ledgers,” says Nagraj Seshadri, head of product marketing at Utimaco Software, a security subsidiary of Burlington, MA-based antivirus company Sophos. “It’s also got a lot of implementation-related specifications. Many of the earlier regulations simply said ‘protect the data,’ but this gets into the details about encrypting data on your laptops, ensuring your wireless networks are encrypted, and verifying that your operating system patches and antivirus signatures are up to date. It is something that can potentially be quite far-reaching.”
Published in September, the Massachusetts regulation defines “personal information” as a resident’s last name and first name or first initial whenever it’s stored in combination with a social security number, a driver’s license number, a bank account number, or a credit or debit card number. The new rules make Massachusetts one of only two states that require all businesses to encrypt such data whenever it’s stored on a laptop hard drive or transmitted electronically. (The other is Nevada.) And as Seshadri notes, the rules affect pretty much every business in the state—even those that don’t collect consumer financial data—since they apply to employee data, such as tax withholding data and automatic deposit information, as well as consumer data.
In at least two ways, however, the new regulations could become a boon for the local economy. After massive and well-publicized incidents of data loss at area companies, including the 2006 theft of some 45 million credit card numbers from Framingham, MA-based TJX (NYSE: [[ticker:TJX]]) and the revelation last spring that intruders had place credit- and debit-card-scooping malware on hundreds of servers owned by the Scarborough, ME-based Hannaford Bros. supermarket chain, the new measures may help to restore consumers’ confidence that companies can protect their personal information.
Moreover, because only 20 to 30 percent of business already own the software needed to protect data on laptop hard drives and wireless networks, according to a study by Forrester Research, the new regulations could also mean a bonanza for security software companies, which happen to be one bulwark of the Massachusetts technology economy. OCABR has estimated that the average small business with 10 employees will need to spend about $3,000 up front on the required software and up to $500 a month for ongoing administration, while bigger organizations could end up spending hundreds of thousands of dollars.
Local security companies are already stepping up to offer their services. Utimaco, for example, sells a system called SafeGuard that’s used by administrators to enforce encryption policies and manage encryption keys across a company’s entire collection of PCs, laptops, PDAs, and e-mail systems. “The thing about this regulation is that it doesn’t simply say ‘encrypt it and forget it,'” says Seshadri. “It says you need to
