Businesses Given More Time to Comply with New Massachusetts Data Security Regulations

In a press release issued Nov. 14, 2008, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) extended the deadline for complying with its new regulations specifying how businesses must protect personal information about Massachusetts residents.

As we described in our September 2008 advisory, the regulations, 201 CMR 17.00, require businesses that store or process information about Massachusetts residents to encrypt documents sent over wireless networks and the Internet, to encrypt documents stored on laptops and other devices, to use firewalls and other security measures to protect the data, and to ensure that their service providers have the capacity to keep the data secure. The regulations had been scheduled to take effect Jan. 1, 2009.

Businesses have reported difficulty meeting the deadlines to encrypt information and to verify the capacity of their service providers to keep all information about Massachusetts residents secure.

The Massachusetts OCABR extended the deadline to comply with the regulations generally to May 1, 2009, the same (extended) effective date for the Federal Trade Commission's identity theft “Red Flag” rules. OCABR extended the deadline to encrypt data on PDAs, USB drives, and similar devices other than laptops to Jan. 1, 2010. OCABR also delayed to Jan. 1, 2010 the deadline for businesses to obtain written certification from their service providers that the service providers will protect information about Massachusetts residents in accordance with the new rules.

We are available to provide further information about the Massachusetts regulations, OCABR's postponement of the deadlines, or identity theft rules and issues generally.