Small Businesses Encounter Difficulty in Coping with Massachusetts Data Privacy Law

In March 2010, Massachusetts passed into law the Massachusetts Data Privacy Law. The passage of this law has proven to be an important point in the development of American data privacy law. While most states’ data privacy laws merely require public disclosure upon the occurrence of a breach, Massachusetts has taken a more proactive stance. The Massachusetts law requires organizations, no matter where they are located, “that store personal information about Massachusetts residents…to write security policies detailing how the data will be protected, encrypt the data when it is stored on laptops or other portable devices or transmitted over public networks, and monitor their systems for breaches.” The purpose of the law is to make certain that companies have an enforceable data security infrastructure.

While many large companies, especially those in finance and the healthcare industry, are able to readily adapt to the new law because they are already subject to data security laws like HIPAA, smaller companies are having a difficult time adjusting. Because of the law’s reach, these businesses are located all throughout America and even many foreign countries. In addition to struggling with understanding what the law requires and how to implement a satisfactory policy, many companies will have a difficult time financing such a program. It is entirely possible for a firm to spend a six figure sum in complying with the law.

Despite the difficulties inherent in adapting to this change, companies have reported upsides stemming from their compliance. In attempting to ensure that information is handled properly, firms learn where their data goes and how it is processed. This knowledge enables firms to understand their processes better as well as improve any inefficiencies. However, despite the fact that companies will enjoy benefits in complying with the law, small businesses still stand to bear a large burden, in terms of both time and money, in complying with the law. This does not mean that the legislature needs to amend the law in any way. Rather, it is up to the Attorney General’s Office to provide as much guidance as possible in helping small businesses ease the already heavy burden of implementing this law.