Deborah Birnbaum, an attorney at Goodwin Proctor LLP in Boston who has been working with clients on compliance issues related to the regulations, said the changes are a definite improvement over the original rules, which she claimed would have required companies to rewrite their vendor contracts. Such a requirement would have been unreasonable, according to Birnbaum - especially in the case of large companies that typically deal with numerous third parties at any given time. "Our clients have been somewhat up in arms," she said.
At a high level, the regulations - which implement the data breach provisions in the state's consumer protection law - require any business that handles sensitive personal information on Massachusetts residents to while it's being transmitted over public networks or stored on mobile devices such as laptops, PDAs and memory sticks.
The rules also require companies to limit the amount of data they collect, have and maintain a detailed inventory of all personal data, whether it's stored in computers, archived on tapes or kept in paper files. In addition, businesses must deploy adequate physical and technical security controls for safeguarding protected data and properly authenticating users who are given access to the information.
At least prior to the revisions, the regulations were widely regarded as one of the most stringent set of state-level data protection mandates in the country. The rules are targeted at all companies that handle the personal data of Massachusetts residents, whether they're based in the state or not, although there are questions about whether the regulations would be enforceable outside of the state.
Critics have slammed the regulations for being overly prescriptive and intrusive and have been pressing state regulators to tone them down. In January, a coalition of 70 organizations - including the Retailers Association of Massachusetts, the Massachusetts Bankers Association, the Greater Boston Chamber of Commerce and companies such as , Target, and - submitted a petition to the OCABR asking for a "rigorous stakeholder analysis" of the bill.