Complying with federal data privacy mandates, particularly the Gramm-Leach-Bliley Act, with its financial privacy protection, safeguards rule, and pretexting (social engineering) protection, is hard enough. But ever since passage earlier in this decade of California SB 1386, which mandates the disclosure of data breaches and notification to individuals whose data has been potentially compromised, the pressure has only intensified. Almost two dozen states have adopted similar laws.

Beginning on Jan 1, 2010, expect the pressure to ratchet up. On that date, the latest Massachusetts data privacy protection regulation, MA 201CMR 17 takes effect. This regulation, inspired by the massive data privacy breach that occurred at TJX, a major Massachusetts retailer, is regarded as the strictest of all.

Almost every business keeps the combination of data that falls under the new Massachusetts regulation. This will apply to almost every organization that transacts business with Massachusetts residents or employs them.

The difficulties begin with the way the state defines which personal information is subject to the regulation. According to the reg, an organization is subject to these rules if it keeps a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:

1. Social Security number

2. Driver’s license number or state-issued identification card number

3. Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account

It’s pretty unusual to take a person’s credit/debit card info without getting his/her first and last name, too. The only personal data excluded from this is that which “is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.”

Unlike California, Massachusetts is rarely a legal trendsetter — gay marriage possibly being the exception — but if other states start picking this up, things could get really ugly from a compliance standpoint. So what is a responsible company to do?

EzeCastle Integration promises a service that will reduce this particular headache for its usual hedge fund clients. This is a typical consulting service with teams of people parachuting in to do assessments, locate the personal data, implement safeguards, and train employees. Almost any IT consulting company, legal services company, or law firm can probably provide similar services.

There are two steps you can take on your own to minimize the risk to your organization and those whose personal data you hold.

1. Identify, locate, and minimize the amount of personally identifiable data by destroying it as soon as you don’t need it

2. Encrypt the data subject to these regs when they are stored as well as in transit

The cost of the data breach at TJX ran into the millions (actually, $256 million), and that’s before settling lawsuits and government compliance investigations, according to the Boston Globe. This is a pain worth avoiding. ###