The Risk Based Approach For Data Protection in Massachusetts
Last week the Commonwealth of Massachusetts made some adjustments to its identity theft protection regulations. In a well written press release, they introduced the Risk-based approach. This approach is especially important to small businesses that may not handle a lot of personal information about customers.
Under a risk-based approach, a business, in developing a written security program, should take into account its size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations.
New language in the regulations recognizes that the size of a business and the amount of personal information it handles plays a role in the data security plan the business creates.
I have only few concerns:The new language requires safeguards that are appropriate to the size, scope and type of business handling the information; the amount of resources available to the business; the amount of stored data; and the need for security and confidentiality of both consumer and employee information.
What if MY data is being breached or compromised? Why should I care that a small business decided that they are too small, their data isn't that sensative, and the amout of data stored is to little to protect it. In my opinion, a Risk based approach should take into considerations the risk for the data, not the risk for the business that is not compliment. I guess that I should be more careful now whenever I'm shopping or doing any business in Massachusetts. Someone might think that protecting MY data and MY identity is not worth it.
The updated regulations will take effect March 1, 2010.
