The Massachusetts data security regulation, which has caused some controversy over its stiff requirements (but is still nonetheless a good idea), now has an extended deadline this week, the state changed the deadline from May 1, 2009, to January 1, 2010. This represents the second deadline extension for the law, which was originally scheduled to go live on January 1, 2009.

There was no explanation of the deadline, we can only speculate that the state was bowing to pressure from interest groups to provide more time to comply. This seems to be a trend in government – making laws that require action on the part of companies or individuals, and then routinely extending the deadlines multiple times. Consider the biggest example of this, the DTV switchover. Everybody in the country with a television has been bombarded with messages to get with the program, the government gave out coupons to make sure people that couldn’t afford a converter box could get one, and the industry responded very well with new technology and fabulous new TVs with great resolution. (My wife got me a 42″ flat screen for my last birthday!) But alas, the switchover was delayed, an action that will have at least a temporary ripple effect throughout the telecom industry. Although I’m behind the President on a lot of things, this delay just made no sense at all.

And the delay in Massachusetts is likely more political than based in any sort of reality, just like the DTV switchover delay. Yes, switchovers like the DTV deal, and new regulations like the Massachusetts encryption law, will be messy at first. There’s no avoiding it. No matter how long you wait, there will still be a few stragglers who won’t comply in time, regardless of the number of extensions. Let’s get on with it and let the chips fall where they may.

The Massachusetts law requires any business that collects personal information about a state resident to encrypt all portable devices, wireless transmissions and public networks.

The biggest criticism is the expense involved for small business, and that is indeed a legitimate concern. I’ve read in some articles about the law that there is a requirement to have an employee dedicated solely to security, and from my reading, this is not true. But, let’s look at that one for a moment. First of all, if you’re a mid-size to large company, you already have at least one, if not several, employees dedicated to security, and if you don’t, you should. Naturally, smaller businesses don’t need a full-time security guy, and it would be disastrous to make three- or four-person shops hire an extra person just for this purpose. Even politicians aren’t dumb enough to make such a requirement. Specifically, the regulation requires “Designating one or more employees to maintain the comprehensive information security program.” Nothing is said about requiring a full-time employee. (You can see a checklist of requirements at http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf.)

According to the state, the cost of compliance for a small business with no more than 10 people is about $3,000, which includes ongoing technical oversight, monitoring, and maintenance. The state report suggests that the ongoing maintenance costs would be “absorbed within any currently existing technical support program, and if none currently exists, should cost no more than $500 per month.” The state’s estimates may be a little on the short side, but definitely in the ballpark.