Gartner Blog Network

Guest Blogger Wednesday: Avivah Litan on Massachusetts’ Data Protection Law

by John Pescatore  |  November 26, 2008  |  1 Comment

Today we have a guest blogger from Gartner’s Security group, Avivah Litan:

The Massachusetts Office of Consumer Affairs and Business regulation (OCABR) recently extended the deadline for compliance to Executive order no. 504 from Jan. 1 until May 1. This law, which requires encryption of data, is said to be the strictest data security law in the country.
I think it will become the standard for more stringent state-level data security legislation, since banking and other lobby groups will work hard to make this happen to extract penalties and reimbursement fees from organizations responsible for data breaches that lead to fraud that banks end up paying for.

How strictly this will be enforced will determine how much impact this legislation will have. I believe we will first see enforcement by example. In other words, once a data breach is discovered, the laws will be used to force the companies responsible for the data breach to pay back the banks and other companies who suffer the fraud and customer service costs on behalf of their customers (since they don’t typically make the customers pay). I don’t think there will be proactive enforcement of the laws since the government agencies don’t have the resources to do that.

It is certainly a ‘good’ thing to encourage stronger data protection among customer data custodians. However, we would like to see a more evenhanded approach where banks and other custodians of customer accounts take proactive measures to help the business community meet stricter security requirements. For example, they could modify their systems so that stolen data would be useless in any event, for example if its use required stronger dynamic authentication of the user.

 – Avivah Litan




John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Thoughts on Guest Blogger Wednesday: Avivah Litan on Massachusetts’ Data Protection Law

  1. MIke says:

    As a Massachusetts citizen I, too, worry about the standards with which my state is taking care of data protection. People always worry about their credit card companies and retail outlets, but we cannot forget that our state agencies know EVERYTHING about us! A breach of security on that level could much more easily lead to identity theft and serious damage to your credit rating, not to mention any financial loss that could incur from such a breach.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.