Data Privacy Rules Coming as Massachusetts Trumps the Feds

A privacy bill under consideration in Washington would significantly impact retail through provisions that would spell out how companies would have to protect customer data and what they must do if information is compromised, yet, as worrisome as that might be for some, any concern is essentially moot because a Massachusetts regulation with substantially the same provisions will go into effect Jan. 1.

And the rule is written in a way that essentially gives it jurisdiction in all 50 states.

Miriam Wugmeister, an attorney who chairs the global privacy and data security practice at law firm Morrison & Foerster, said the federal bill — H.R. 2221, the Data Accountability and Trust Act — effects any retailer who collects name plus credit card, drivers license or social security numbers, which includes just about all retailers. No exceptions for size, either, at least not as the bill is currently written. It requires retailers to have a security policy, establish a person with responsibility for data security, assess risks, remedy vulnerabilities and establish data disposal policies. It also requires notification to individuals who might be affected by a breech and to the Federal Trade Commission. Further, retailers would be required to pay for two years of credit reporting-related fees for individuals affected.

Wugmeister said there is no guarantee the current bill will get through Congress, although she did say some form of data security/notification law may emerge given the popularity of the no-call lists developed by federal agencies.

Yet, once it goes into effect on Jan. 1, the Massachusetts regulation will put provisions akin to what the Federal bill proposes into effect nationwide. Retailers from Maine to California will be impacted for two reasons, Wugmeister said. First, because the federal bill won’t necessarily pre-empt state laws and second because the Bay State regulation was written to cover any company, down to the individual store, that does business with Massachusetts residents no matter where a subject transaction occurs. Now, a Massachusetts provision that applies to a Bostonian buying sunglasses in San Diego might not stand up to a legal challenge a retailer might be brave enough to make, or, given the sensitivity of the subject, foolhardy enough. However, the regulation also covers any company that is engaged in online transactions with Massachusetts residents in their home state. That element of the law, said Wugmeister, is more likely to stand up in court.

Morrison & Foerster makes the Massachusetts regulation available at http://mofoprivacy.com/detail.aspx?ID=290c1c69-e23c-4103-9d31-4e1c48b4dc43. Retailers might want to read it, as they may be forced to adhere to its strictures. Some years ago California passed an online privacy law that some websites tried to fight, but they quickly gave in as opposition was too complex and costly. Wugmeister added that 44 states currently have laws regarding breach notification, 28 regarding the handling of social security numbers and eight about protecting secure data. She said the Massachusetts law likely will embolden other states to set similar standards. Thus, even if some part touching on transactions outside of Massachusetts is shot down in court, it may all be for naught as legislatures act state by state. So it really doesn’t matter what Washington does. More stringent data security and notification rules are coming, Feds or no.