Legislation passed in 2007 directed the regulation to establish minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.
“Protecting consumers’ personal information is very important and our member companies take seriously the obligation to protect the data in their possession and control,” said John Murphy, AIA northeast region vice president. “We hope that Massachusetts will afford companies the flexibility to effectuate that obligation in a reasonable and sensible manner and timeframe.”
The hearing was required after OCABR issued an emergency regulation in November extending the compliance dates. The regulations, which contain personal information protection rules for businesses under the state's new identity theft law, were initially adopted by OCABR in September and set to be implemented on Jan. 1, 2009.
“The original effective date of January 1, 2009 — just three months after the final regulation was approved — was simply not realistic,” said Murphy. “While AIA appreciates OCABR’s decision to delay implementation for a few months, this ‘breathing room’ will not cure the substantive problems with the regulation or afford companies enough time to fully implement its directives.”
Murphy explained that the additional time still does not address some of the fundamental roadblocks and areas where further clarification is needed, such as encryption; data mapping or data inventory; monitoring; safeguards consistent with other state or federal regulations; and vendor contracting issues.
“AIA strongly encourages OCABR to indefinitely delay implementation of the regulation so that all affected entities can raise concerns and receive guidance from OCABR and the Massachusetts attorney general, where appropriate,” concluded Murphy.
No comments:
Post a Comment