The Commonwealth of Massachusetts

 

——————————————

 

 

 

DEVAL L. PATRICK

GOVERNOR

 

TIMOTHY P. MURRAY

LIEUTENANT GOVERNOR

Executive Department

State House  ·  Boston 02133

(617) 725-4000

July 25, 2007.

 

To the Honorable Senate and House of Representatives:

 

   Pursuant to Article LVI, as amended by Article XC, Section 3 of the Amendments to the Constitution of the Commonwealth of Massachusetts, I am returning to you for amendment House Bill No. 4144, “An Act Relative to Security Freezes and Notification of Data Breaches”.

 

   I strongly support this bill’s purposes of protecting consumers from identity theft by allowing them to block new credit accounts in their names, requiring businesses and governments to alert consumers of security data breaches, and setting standards for the disposal of records containing consumers' personal information.  I congratulate the Legislature for this significant accomplishment.

 

   However, I am concerned about the provision of proposed G.L. c. 93H, §2(b), to be inserted by bill section 16,  which assigns to the state Secretary’s Division of Public Records the sole responsibility for adopting regulations to safeguard the personal information of residents of the Commonwealth that is owned or licensed.  This provision does not provide any role for the administration’s Information Technology Division (ITD) with respect to the state government’s electronic records, a role that ITD is uniquely qualified to perform.  In this respect, it is inconsistent with the bill’s proposed section 3(c) of the same chapter, which properly requires executive branch agencies to report “breaches of security” to both ITD and the Public Records Division.  It is also inconsistent with the Massachusetts Uniform Electronic Transactions Act, G.L. c. 110G, §17(a), a 2003 statute that gave ITD and the Public Records Division joint jurisdiction over executive branch electronic records.

 

For these reasons, I recommend that House Bill No. 4144 be amended, in section 16, in proposed subsection (b) of section 2 of chapter 93H of the General Laws, by striking out the first sentence and inserting in place thereof the following sentence:- “The supervisor of records, with the advice and consent of the information technology division to the extent of its jurisdiction to set information technology standards under subsection (d) of section 4A of chapter 7, shall establish rules or regulations designed to safeguard the personal information of residents of the commonwealth that is owned or licensed.”

 

Respectfully submitted,

 

 

 

 


                                                                                       DEVAL L. PATRICK,

                                                                                          Governor.