Wave Systems Corp. (fka WAVXQ)

[cooler]

Mass: Get ready for data privacy regs
Friday, November 7, 2008
By Galen Moore
http://www.masshightech.com/stories/2008/11/03/weekly14-Mass-Get-ready-for-data-privacy-regs.html

Companies and lawyers are working overtime to comply with new data-privacy regulations that will take effect on Jan. 1, giving Massachusetts what observers say are the nation’s strictest rules governing sensitive customer and employee information.

The new regulations, announced in September by the Massachusetts Office of Consumer Affairs and Business Regulation, will require companies to safeguard with firewalls all personal data belonging to any Massachusetts resident, and encrypt it whenever it is transmitted or saved on a portable device such as a laptop or a flash drive.

Noncompliance could leave a company more vulnerable to a class-action lawsuit in the event of a data breach, said David J. Goldstone, a litigator at the Boston law firm of Goodwin Procter LLP.

Until now, judges have been reluctant to send such lawsuits to trial, Goldstone said. “If in addition to a brief, there’s an actual violation of a state regulation, particularly for a Massachusetts entity, the court may say that cause of action shouldn’t be dismissed,” he said. “That should go to a jury.”

Companies may find it difficult to comply by the January deadline, said Brian E. Burke, Northeast director of state government affairs at Microsoft Corp.

“Even for companies with mature security and privacy programs, there are many challenges in meeting the requirements mandated in the (Massachusetts) data privacy regulations and it will likely require years of effort to comply with this regulatory framework,” Burke wrote via e-mail to Mass High Tech.

State Consumer Affairs general counsel David Murray said companies have had time to prepare for the regulations.

“We have had extensive contacts with all kinds of interested industry parties,” he said, citing a public input process that began last November. “The scope of these regulations — at least the proposed regulations — has been known for almost a year.”

Any vigilant enterprise is already “95 percent there,” said Michelle Drolet, CEO of Towerwall Inc., a Framingham-based security software and services company.

“What this regulation is going to do is, it’s going to make organizations figure out what information is really important to protect,” she said. “You can’t protect everything.”

Steven K. Sprague, CEO of Wave Systems Corp. (Nasdaq: WAVX), recommended companies protect against device theft by looking for encrypted hard drives when buying new laptops. The Lee-based company makes encryption software. Hard-drive encryption doesn’t require a pile of passwords and makes a laptop as easy to use as a handheld device that requires a pin to operate, Sprague said.

But Kent Summers, managing partner at Waltham-based Practical Computer Applications Inc., said sensitive data shouldn’t be stored on a laptop in the first place. He suggested companies should keep that information on the network.

For now, uncertainty remains regarding companies based outside of Massachusetts that work with customers or employees in the commonwealth. The Office of Consumer Affairs and Business Regulation has left it up to the Attorney General’s Office to determine whether the regulation would be enforced against such entities.
A spokeswoman for Attorney General Martha Coakley declined to comment beyond saying the office is reviewing its enforcement role.

Costs
The state estimates compliance will cost $3,000 upfront, plus $500 a month, for a small business employing 10 people, with three laptops, seven desktops and one network server.

Requirements
Every business handling Massachusetts residents’ personal data must:
• Build firewalls and encrypt data whenever it is transmitted or stored on portable devices
• Develop a security program, designate an employee to manage it, and discipline employee violators
• Train employees regarding security