Why Mass. 201 CMR 17 Deadline Was Extended

Editor’s note: For a complete audio transcript of the recent National Information Security Group (NAISG) discussion on 201 CMR 17, visit our podcast page.

Massachusetts security pros dropped to their knees in thanks after a compliance deadline for the state’s tough new data protection law was extended from January to May.

The reason for the extension — and subsequent relief — is simple. Too many companies are in the dark about 201 CMR 17.00 (Standards for The Protection of Personal Information of Residents of the Commonwealth) to meet a January compliance deadline.

Those who do understand the law say there’s too much to do to meet the original compliance deadline, and believe the deadline will get extended again.

“There may be issues with implementation, language and discrepancies between what various state documents say,” National Information Security Group (NAISG) board director Jack Daniel said during a group discussion on the law last week in Waltham, Mass.

Issued in September, the regulations require that businesses encrypt documents sent over the Internet or saved on laptops or flash drives, encrypt wirelessly transmitted data, and deploy up-to-date firewalls to create “an electronic gatekeeper” between the data and the outside world that only allows authorized users to access or transmit data.

The regulations were initially set to take effect Jan. 1, but last week the state Office of Consumer Affairs and Business Regulation (OCABR) extended the deadline to May 1 “in light of intervening economic circumstances.”

“These sensible measures are already widely used by many Massachusetts companies, but we recognize that some businesses currently facing economic uncertainties will benefit from having additional time to comply,” Undersecretary of Consumer Affairs and Business Regulation Daniel C. Crane said in a written statement. “The action serves to provide flexibility to businesses working to implement the necessary measures to safeguard their customers’ personal information in a timely manner.”

Under the new deadline structure:

• The general compliance deadline for 201 CMR 17.00 is extended to May 1. The date is consistent with a new FTC Red Flag Rule requiring financial institutions and creditors to develop and implement written identity theft prevention programs, Crane said.
• Third-party service providers now have until May 1 to prove they are capable of protecting personal information and are contractually obligated to do so. Meantime, the deadline for requiring written certification from third-party providers will be further extended to Jan. 1, 2010.
• The deadline to encrypt all laptops will be extended from Jan. 1 to May 1, and the deadline to encrypt other portable devices will be further extended to Jan. 1, 2010.

Daniel, who ultimately believes the law is “legislating common sense,” noted that it’s probably going to be well beyond May 1 before implementers get all their compliance work done.

“I’ll be startled if this doesn’t change again at least a little bit in the next six months do to financial pressures. Spending on additional security isn’t a popular thing right now.”

Though companies may be grateful that the state is allowing more leeway in light of the current economic crisis, security pros at the NAISG meeting suggested compliance is going to take more time simply because the details are still too new and undigested.

One attendee whose clients include a healthcare organization worried aloud that it’s going to be exceedingly difficult for operations like his to prove that every third-party “average Joe” has the necessary encryption in place when trading electronic communications. Daniel noted this is particularly challenging in schools and small doctors offices, where IT controls are far more scattered than larger enterprise networks.

Ed Ziots, a Rhode Island-based network engineer, questioned the ability of Massachusetts to enforce the law outside its borders.

“If my company is in Rhode Island and someone from Massachusetts comes in and buys something, how can Massachusetts enforce the law on us?” he asked. A Massachusetts law is not enforceable in Rhode Island.”

To that, Daniel said it might be possible for an out-of-state company to get away with some isolation, but that it “probably wouldn’t be wise to mount a challenge.”

Part 2 of this series will focus on whether 201 CMR 17’s requirements are overdue, or if they go too far.