The regulations, which take effect March 1, will make customers’ and employees’ personal information harder for hackers to access.
Five years ago, identity thieves intercepted wireless transmissions from two Marshalls stores in Miami, opening the floodgates for the biggest data breach in U.S. history. Now Massachusetts businesses are gearing up to comply with new state regulations designed to prevent a repeat of the breach at TJX Cos., the parent company of the Marshalls and T.J. Maxx chains.
The regulations, which take effect March 1, will make customers’ and employees’ personal information harder for hackers to access. While well-intentioned, the regulations are often vague and will be difficult to comply with and enforce, data security experts and legal sources say.
“It’s virtually impossible for somebody to be 100 percent in compliance with this,” said Deborah Birnbach, a partner at law firm Goodwin Procter’s Boston office.
The TJX data breach resulted in the release of at least 45.7 million credit and debit card numbers. Although the unauthorized access stretched back to 2005, the Framingham-based retailer didn’t notice any suspicious activity on its computer systems until December 2006.
An investigation by the Canadian government faulted TJX for failing to update its encryption system. The new Massachusetts regulations are designed in part to prevent similar breaches, Birnbach said.
The regulations affect a vast majority of businesses, since they apply both to those who collect or store customers’ or employees’ personal information. Personal information is defined as a name combined with either a Social Security number, bank account number or credit or debit account number.
Beginning in March, that data is required to be encrypted on any mobile device such as laptops or portable USB drives. The precaution follows several high-profile cases in which company data was accessed from stolen laptops, including the names and Social Security numbers of 800,000 applicants for jobs at the Gap in 2006 and 2007.
The encryption requirement also will apply to cell phones and PDAs.
“All of that is now fair game, so it’s a very broad scope,” said Colin Zick, a partner with law firm Foley Hoag in Boston. “That’s not to say it’s not warranted, because this is sensitive information for people.”
Companies are also responsible for installing Internet firewalls to prevent outside threats from accessing their systems.
For most small businesses, the cost of complying should be minimal, said Brian MacFee, owner of IT consultant Systems Support Corp. of Marshfield. Programs such as TruCrypt offer free downloads of reliable encryption software, and in-house IT departments can perform the bulk of the work.
Businesses will also be required to ensure that third-party vendors who may have access to customers’ information comply with the new regulations. They have until March 2012 to renegotiate contracts to reflect the new requirement, although companies should determine whether their vendors are compliant immediately, Birnbach said.
Another key component of the regulation is that all businesses draw up a written information security policy. The document should spell out what kind of data the company keeps and where, procedures for how it is protected, who has access to data and how to respond to a data breach. It also calls on companies to retrain employees, put one person in charge of enforcing the security policy, and update it every year.
Systems Support Corp. of Marshfield charges $300 for a consulting service in which it draws up a security policy for companies after a one-day consulting visit.
The state does not plan to audit companies’ security policies, so companies would likely be required to produce the document only after they report a data breach, Birnbach said. The state attorney general’s office will be in charge of enforcement.
Guidelines provided by the state Office of Consumer Affairs hint at the vagueness of the regulations. The required “scope and complexity” of a security program can vary depending upon a company’s resources and the type of information it stores.
And businesses only have to implement the computer security measures if there is a reasonable means through technology to accomplish the goal, according to the state’s guidelines.
“The term ‘reasonable’ (is so broad) you could land a plane on it,” MacFee said.
Jon Hurst, president of the Retailers’ Association of Massachusetts, said the responsibility of complying with the new rules could be excessive for smaller companies.
“A lot of small businesses are not the target of cybercriminals,” Hurst said, noting that the regulators sent a mixed message when they chose not to apply the same regulations to government agencies.
The rationale behind many of the regulations, such as prompt notification about a data breach, should be common sense to companies that seek to protect their reputations, Foley Hoag’s Zick said.
“If it’s slow to get the news out (about a breach), you’re really going to impair the brand,” he said. “My advice to clients is, ‘You’ve got to do the right thing for clients regardless of what the law says, because (otherwise) customers will punish you.’ ”
Patriot Ledger writer Steve Adams may be reached at email@example.com.