Comments on: Reading Tea Leaves – The Difference Between Old And New CMR Rules Part II http://arielsilverstone.com/privacy/reading-tea-leaves-difference-between-old-and-new-cmr-rules-1-2/ Intelligent Business Security Fri, 14 May 2010 03:58:27 +0000 hourly 1 By: Ariel http://arielsilverstone.com/privacy/reading-tea-leaves-difference-between-old-and-new-cmr-rules-1-2/comment-page-1/#comment-158 Ariel Thu, 01 Jan 1970 00:00:00 +0000 http://arielsilverstone.com/?p=2424#comment-158 <a href="#comment-156">@Patrick Engelman </a> Interesting. Can not imagine that in today's day and age, a government office would issue a regulation without checking with the State's Attorney General's office. @Patrick Engelman
Interesting. Can not imagine that in today’s day and age, a government office would issue a regulation without checking with the State’s Attorney General’s office.

]]> By: Patrick Engelman http://arielsilverstone.com/privacy/reading-tea-leaves-difference-between-old-and-new-cmr-rules-1-2/comment-page-1/#comment-156 Patrick Engelman Thu, 01 Jan 1970 00:00:00 +0000 http://arielsilverstone.com/?p=2424#comment-156 Ariel, I agree -- I am torn between wanting an absolute right to control what third parties do with _my_ information, from a privacy and consumer protection standpoint.. but also wanting something that will be reasonable for small businesses. The OCABR has been very straightforward in asserting that they have no idea whatsoever how the Attorney General's office is going to enforce these regulations; it will be interesting to see what happens on that front. -- Patrick Ariel,
I agree — I am torn between wanting an absolute right to control what third parties do with _my_ information, from a privacy and consumer protection standpoint.. but also wanting something that will be reasonable for small businesses. The OCABR has been very straightforward in asserting that they have no idea whatsoever how the Attorney General’s office is going to enforce these regulations; it will be interesting to see what happens on that front.
— Patrick

]]> By: Ariel http://arielsilverstone.com/privacy/reading-tea-leaves-difference-between-old-and-new-cmr-rules-1-2/comment-page-1/#comment-138 Ariel Thu, 01 Jan 1970 00:00:00 +0000 http://arielsilverstone.com/?p=2424#comment-138 Patrick, That is correct, but it would also serve, had it stayed in, to make sure businesses, large and small, both (a) look for the privacy policies provided by companies like Intuit (which should, themselves, assure compliance) and (b) create a demand for such compliance by 3rd parties from more and more businesses. Patrick,

That is correct, but it would also serve, had it stayed in, to make sure businesses, large and small, both (a) look for the privacy policies provided by companies like Intuit (which should, themselves, assure compliance) and (b) create a demand for such compliance by 3rd parties from more and more businesses.

]]> By: Ariel http://arielsilverstone.com/privacy/reading-tea-leaves-difference-between-old-and-new-cmr-rules-1-2/comment-page-1/#comment-137 Ariel Thu, 01 Jan 1970 00:00:00 +0000 http://arielsilverstone.com/?p=2424#comment-137 <a href="#comment-135">@Patrick Engelman </a> Patrick, Thank you. I was aware of the amended.pdf file, but not aware of its status due to OCABR not discussing it in public. You will agree that the original language was much stronger than the text we have today. Thank you again! Ariel @Patrick Engelman

Patrick,

Thank you. I was aware of the amended.pdf file, but not aware of its status due to OCABR not discussing it in public. You will agree that the original language was much stronger than the text we have today.

Thank you again!
Ariel

]]> By: Patrick Engelman http://arielsilverstone.com/privacy/reading-tea-leaves-difference-between-old-and-new-cmr-rules-1-2/comment-page-1/#comment-136 Patrick Engelman Thu, 01 Jan 1970 00:00:00 +0000 http://arielsilverstone.com/?p=2424#comment-136 As a small business, compliance with this third-party contract rule may be difficult if I have to hire a third-party who may have incidental access to personal information. For instance, maybe I have to hire Quicken support services to help me fix a bug in my accounting software -- however the likelihood that the Intuit corporation is going to be willing to sign any contract with a small business before performing this work is small. As a small business, compliance with this third-party contract rule may be difficult if I have to hire a third-party who may have incidental access to personal information. For instance, maybe I have to hire Quicken support services to help me fix a bug in my accounting software — however the likelihood that the Intuit corporation is going to be willing to sign any contract with a small business before performing this work is small.

]]> By: Patrick Engelman http://arielsilverstone.com/privacy/reading-tea-leaves-difference-between-old-and-new-cmr-rules-1-2/comment-page-1/#comment-135 Patrick Engelman Thu, 01 Jan 1970 00:00:00 +0000 http://arielsilverstone.com/?p=2424#comment-135 Just a note about the third party contract requirements -- this clause had been taken out a couple of revisions back, and was just now put back in. This is one of the only ways this newest revision is actually getting stronger. Were you comparing the newest revision with the original rule, or with the previous rule which had a January 1, 2010 start date. The previous (i.e. before August 17th) version of the rule had _no_ requirements for contracts or written compliance statements from third parties. The language from the previous version went: Taking all reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.00; and taking all reasonable steps to ensure that such third party service provider is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17.00. You can see the previous version at http://www.mass.gov/Eoca/docs/idtheft/201CMR17amended.pdf Just a note about the third party contract requirements — this clause had been taken out a couple of revisions back, and was just now put back in. This is one of the only ways this newest revision is actually getting stronger. Were you comparing the newest revision with the original rule, or with the previous rule which had a January 1, 2010 start date. The previous (i.e. before August 17th) version of the rule had _no_ requirements for contracts or written compliance statements from third parties.

The language from the previous version went:

Taking all reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.00; and taking all reasonable steps to ensure that such third party service provider is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17.00.

You can see the previous version at http://www.mass.gov/Eoca/docs/idtheft/201CMR17amended.pdf

]]>