Massachusetts’ new identity theft regulations, known as the “Standards for the Protection of Personal Information of residents of the Commonwealth”, is running into some opposition from lobby groups and Massachusetts retailers. The strict regulation requires all portable personal information about Massachusetts residents to be encrypted, regardless of whether that data is being emailed over the Internet or not. The rule is designed to add an extra layer of protection on data such as credit card numbers and other personal information. The regulation of course, is a no-brainer, and any business with common sense should be doing this already, regardless of regulation.

But apparently, the business lobby in the state takes exception to the rule, and advocates protested the regulations at a hearing last week. The business owners claim that compliance will be too expensive. However, this argument just doesn’t hold water. Of course, there will be some expenses involved in compliance. However, there have been numerous high-profile data thefts in the news, and the costs involved in cleaning up the mess, the possibility of lawsuits, and the negative public relations is far more costly than just putting in some encryption. In fact, the regulation is just common sense, and when businesses undertake to compile personal information from consumers, they do have a responsibility to protect that information. Laptops and mobile devices in particular are important to protect, since these may contain data that is very valuable to an identity thief, and represent an easy target.

Advocates asked the state to reissue regulations on May 1, and then give businesses two years to comply. The deadline has already been extended from May 1, 2009, to January 1, 2010. The time has come to do something about this situation and stop putting it off. The extended deadline would serve no valuable purpose other than to leave data open and vulnerable for a longer period of time.