It is an axiom of organizational compliance – awareness of compulsory policies is the first step (or hurdle) to compliance.  The new Massachusetts data privacy regulations, currently scheduled to have a required compliance date of March 1, 2010 (originally May 1, 2009, then January 1, 2010), are comprehensive, forward thinking, proactive in nature but little known by rank and file businesses (even here in Massachusetts).

The best drafted compliance program within an organization isn’t worth the paper its written on if no one knows about it.  The same is true for mandatory, prescriptive regulations.  The best that could come of these regulations if more outreach isn’t done, is enforcement once a breach has occurred.  The rules, as written and as intended, are meant to protect Massachusetts residents from exposure — to be proactive.

Lots of chatter – It’s true there is lots of chatter about the new regulations, but by whom?  Me, for one. The folks that are paying attention are either consultants to businesses in areas of compliance and data security, or organizations large enough to have an independent compliance function (or larger organizations still that have dedicated data privacy offices). Most small and mid-sized businesses that have had no prior experience with data privacy issues are not informed.

Most small and mid-sized businesses clueless – When I speak to executive and mid-level managers who need to be informed about the regulations, and the risks in their business processes which inherently give rise to the need for the regulations, they are clueless. Clueless in regard to the magnitude of the risk, their potential exposure, the fact that the State has promulgated these new rules. Moreover, most are incredulous in the face of the prospect that yes, indeed, this means you.

No effort to educate – Outside of the industries and consultants that already have data privacy infrastructure, there is little evidence that the State has given much thought to awareness. Remember, the first axiom of organization compliance I mentioned. In fact, it is even difficult to navigate the website of the Massachusetts Office of Consumer Affairs and Business Regulation so that you can find the goodies that are posted (deep within) that are helpful. Go ahead and try and report back to me.

The regulators in Massachusetts need to fix this problem if there is any hope that a prevention model of data privacy regulation can lead to a positive change for the citizens. It does much less good to have a mechanism to punish poor practices rather than prescribe and enforce good practices before a data breach occurs.  As they say, its much better to close the barn door before the horse is out.

Popularity: 5% [?]

Related posts:

1. New Massachusetts data privacy regulations posts updated I went back yesterday and updated the posts outlining the new Massachusetts...
2. More tweaks to the Massachusetts data privacy regulations on the way Update: More information on the Foley, Hoag site. According to the Hunton...
3. New seminars on the Massachusetts data privacy regulations planned We are planning another round of seminars on the new Massachusetts regulations...
4. Q: Massachusetts data privacy regulations? A: Now! Q: When do we need to worry about the new Massachusetts data...
5. (Latest) final version of the Massachusetts data privacy regulations The latest final version of the new Massachusetts data privacy regulations have...
6. New Massachusetts Regulations: “Data security breach is not a question of if, it’s a question of when” I had the pleasure yesterday to attend a small-format seminar hosted by...