Reading Tea Leaves – The Difference Between Old And New CMR Rules Part I

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!
This entry is part of a wonderful series, [slider title="201 CMR 17 Revision"]Entries in this series:
  1. Reading Tea Leaves - The Difference Between Old And New CMR Rules Part I
  2. Reading Tea Leaves - The Difference Between Old And New CMR Rules Part II
  3. Reading Tea Leaves - The Difference Between Old And New CMR Rules Part III
[/slider]

 

As I reported yesterday, here, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued an update to 201 CMR 17:00, the Massachusets data breach notification rules, have been updated.   Let's go line by line and analyze the differences between the "old" and the "new" CMR rules.

And yes, I do love the Tea metaphors.

Comparison Between 201 CMR 17 Versions

 

Comparison between versions of MASS 201 CMR 17

 Section

Old

 New

Meaning of Change

 17.01(1)

(old 17.01(a))

… by persons who own, license, store or maintain personal information…

…by persons who own or license personal information…

This is a major shift in policy, taking storage companies, such as hosting providers, out of the compliance equation.

 

Further purposes are to (i) ensure the security and confidentiality of such information in a manner consistent with industry standards, (ii) protect against anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud against such residents. The objectives of this regulation are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer. This seems to be a minor, cosmetic change
17.01(2) (old 17.01(b)) The provisions of this regulation apply to all persons that own, license, store or maintain personal information about a resident of the Commonwealth. The provisions of this regulation apply to all persons that own or license personal information about a resident of the Commonwealth. Same as the very first comment
       
 17.03 – Definitions

"Encrypted," transformation of data through the use of a 128-bit or higher algorithmic process, or other means or process approved by the office of consumer affairs and business regulation that is at least as secure as such algorithmic process, into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

Encrypted, the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.

This is also a major policy change:

a)No longer will the Mass OCABR will be required to approve encryption;

b)No longer is 128-bit and above demanded;

c)The word "probability" is removed from the equation

Note:  The phrase "meaning cannot be assigned" may be a grammar error.

   

Owns or licenses, receives, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.

A new definition.  Not sure why this is called out, as it seems to me as conflicting with the direction-change inherent in the change I outlined in the first part of this table.
    Service provider, any person that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation; provided, however, that “Service provider” shall not include the U.S. Postal Service.

This is a new definition in the regulation, detailing who a service provider is.  This too seems to me as conflicting with the direction-change inherent in the change I outlined in the first part of this table

The OCABR here seems to be a tad "confused"…  I am not sure why they are calling out the USPS, and not, for example, HUD or The FBI.

 

 

The usual disclaimer:  I am not a lawyer.  I don’t even play one on TV.  This is not a legal advice.

Tomorrow, I will continue the analysis of the difference between both new and old version of the 201 CMR 17 rules.

 

Permalink