02/23/2009
Massachusetts Extends Deadline and Revises New Information Security Regulations
Following a public hearing and written comments regarding 201 CMR 17.00—data privacy regulations that set standards for how personal information of Massachusetts residents must be protected—the Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR) has provided both short term and long term relief for companies working to bolster their securities policies to comply with 201 CMR 17.00. For the second time now, Massachusetts has delayed the effective date for what will be sweeping changes to how companies dealing with personal information of Massachusetts residents must protect that personal information. Additionally, the OCABR has changed what is required from companies and their third-party service providers.
First, the OCABR extended the deadline by which companies must be in compliance with the regulations. Originally intended to go into effect on January 1, 2009 and then delayed to May 1 for all but two of the sections, the new deadline now gives companies until January 1, 2010 to either implement a security policy or revamp their current policy to comply with all sections of the regulations.
Second, the OCABR has changed what is required of companies that provide access to personal information to third-party service providers. Rather than requiring companies to obtain written certification from these providers as the prior version of the regulations did, this new version simply requires that companies take all reasonable steps to verify that their third-party service providers given access to personal information are applying security measures and have the capacity to protect the information as required by 201 CMR 17.00.
If you own, license, store or maintain personal information of Massachusetts residents, you must comply with these regulations by January 1, 2010. A Cooley Alert published on November 7 provides an overview of the Massachusetts regulations in general. If you have any questions regarding either update or how the regulations discussed therein could affect your company, please contact one of the attorneys listed below.
If you have any questions regarding this update or how the regulations discussed herein would affect your company, please contact one of the attorneys listed below: