We predicted this eventuality here, in this blog, 6 months ago. The MA Data Privacy law, touted by some as the most far reaching in the nation, is too unwieldy for small businesses to follow. However, the law is getting watered down a bit, making it more palatable for small businesses.

Randy George, Director, IT Operations, Boston Red Sox

August 27, 2009

2 Min Read

We predicted this eventuality here, in this blog, 6 months ago. The MA Data Privacy law, touted by some as the most far reaching in the nation, is too unwieldy for small businesses to follow. However, the law is getting watered down a bit, making it more palatable for small businesses.So let's suppose you run a small business, say less than 25 employees. Do you even have a formal IT department? Perhaps you do, but most likely you've outsourced your IT operations, and you only call them in an emergency because making payroll is stressful enough. Now imagine having to comply with a data security regulation that was originally conceived of as a result of TJX, a company with millions of customers containing millions of records of personally identifiable information within their data centers.

The question is, should your business be held to the same data security regulation that TJX should? Thankfully, along with this second delay in the implementation of the new MS Data Privacy law, the original legislation has been amended to take a more "risk based" approach. What does that actually mean? Well, from what I can tell, the judiciary will have plenty wiggle room when assessing your ability to comply with the wide range of requirements written into the legislation.

The new version of the law (201 CMR 17.00) seems more palatable for small business. Much of what is in the presently proposed legislation should already be happening, even within small shops. Things like implementing password policy, auditing permissions to data that contains PII, ensuring virus and malware software is up to date, disabling the accounts of terminated employees, etc.. Those are tasks that clearly should not introduce additional burden on small businesses. The requirement to encryption PII can get tricky for small businesses, but few will argue about the merits of forcing this requirement.

The state of MA will be holding a public debate on the bill on 9/22 in Boston. It should be an interesting spectacle. Perhaps this hearing will devolve into a health care like shouting match between big business and the legislature. I plan on going, stay tuned for more.

About the Author(s)

Randy George

Director, IT Operations, Boston Red Sox

Randy George has covered a wide range of network infrastructure and information security topics in his 4 years as a regular InformationWeek and Network Computing contributor. He has 13 years of experience in enterprise IT, and has spent the last 8 years working as a senior-level systems analyst and network engineer in the professional sports industry. Randy holds various professional certifications from Microsoft, Cisco and Check Point, a BS in computer engineering from Wentworth Institute of Technology and an MBA from the University of Massachusetts Isenberg School of Management.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights