The fallout of Massachusetts mandates on Arizona businesses (and it’s not what you think)

While the state of Arizona lately finds itself in the proverbial eye of the hurricane for an entirely different set of circumstances, a publication known as Inside Tucson Business has published an article concerning the impact of MASS 201 CMR 17 on Internet transaction-based businesses located in the state.

Entitled “Watch what data you store, or Massachusetts could get you,” the article by columnist Lee LeClair suggests the legal comprehension and borderless intent of MASS 201 CMR 17 makes any state liable, Arizona included, for failing to protect a Massachusetts residents’ data if that individual makes a purchase and the record of that purchase is later breached.

To explain the significance of this law on an Arizona business, LeClair provides readers with the following scenario:

Imagine your small business, Custom Paper Airplanes, receives a website order from a Massachusetts resident that includes his or her name, address and credit card number. Do you have the documentation, encryption of data on disk, encryption of data in backups, firewalls, intrusion detection systems, employee training, policies and incident response scenarios in place? If not, then you should not store credit card data on your system – a good idea anyway – or you run the risk of massive penalties. 

LeClair further argues that while noble, the law places an onerous burden on small businesses that either have to assume a high-level of risk in accepting a Massachusetts e-transaction or, at the other end of that spectrum, refuse to do business with Massachusetts residents’ altogether.

While I cannot wholly divine LeClair’s intent on raising the flag on this law to publication subscribers, I think its safe to say he sees the MASS 201 CMR 17 law more about ringing the alarm on state’s rights, the right to privacy and even the manifest destiny itself rather than the wake-up call I believe is really at the heart of this legislation. Not to nitpick, but regardless of where your business is located and whomever you serve as a customer, a transaction – whether it occurs at a brick and mortar location or over the Internet – is a handshake between you and the merchant. If that implied trust, whether through a data breach or some other concern is violated at any level, as a merchant you are responsible. Just because your business is not physically located in the same state that voted the law in doesn’t excuse your accountability. Trust is always a two-way street, regardless of where that street is located.

TAGS: , ,

   |   Leave A Comment

Comments

  1. No Comments

Leave A Comment

Make sure you enter the * required information where indicated. Comments are moderated. Please no link dropping, no keywords or domains as names; do not spam, and do not advertise!

|