Skip navigation

Mass. delays enforcement of data security mandates

BOSTON Regulators in Massachusetts have given restaurants and other businesses an extra four months to comply with new standards for storing and protecting credit card and other personal information about customers and employees.

The regulations, now set to take effect on May 1, require businesses to use encryption and firewalls to safeguard the data from hackers and identity thieves. They also require that businesses designate at least one employee as being expressly responsible for maintaining the security of electronic data. In addition, employees must be educated on the importance of protecting personal information and trained how to use computer security systems properly.

Failure to comply could result in sanctions from the state attorney general, according to an official from the Massachusetts Restaurant Association. She characterized the cost of full compliance as “astronomical.”

The requirements, which initially were set to take effect Jan. 1, were delayed to provide businesses feeling the impact of the current economic downturn with some leeway for complying, according to regulators.

The mandate was issued after several retailers and restaurateurs in the state, including the Not Your Average Joe’s casual-dining chain, became the victims of data security breaches.

Operators will be required to “encrypt documents sent over the Internet or saved on laptops or flash drives, encrypt wirelessly transmitted data and utilize up-to-date firewall protection that creates an electronic gatekeeper between the data and the outside world and permits only authorized users to access or transmit the data,” the Office of Consumer Affairs and Business Regulation states.

Officials of the Massachusetts Restaurant Association said they are working on ways to notify their members of the regulations.

“We have been e-mailing our members about this, but people have really been caught off guard,” said Janine Harrod, director of government affairs for the Massachusetts Restaurant Association. “The implications of this and the penalties [involved] are scary. This could be a whole other liability we’re creating on restaurants.”

Harrod said it is her understanding that if businesses do not comply with the security measures, “the attorney general can raise an injunction against you and collect damages.”

She also noted that the new standards would affect “any time you take a reservation over the phone and want to take a credit card [number down].” She warned that even popular reservation services aren’t necessarily secure.

Harrod added that the potential cost of implementing the new security regulations “if you really want to go through this to the letter are astronomical.” She said it would affect “even the way you handle employee information ... not just customer information. Even if your POS systems are up to date, what you do with your own staff information is subject. It’s extremely pervasive.”

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish