Reminder: March 1, 2010 Deadline for Massachusetts Information Security Regulations Compliance

Cooley Alert
February 17, 2010

After several extensions and revisions over the course of 2009, Massachusetts will begin enforcing the March 1, 2010 compliance deadline for its regulations aimed at curbing identity theft—201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth. In short, if you own, license, store, maintain or otherwise receive personal information of Massachusetts residents in connection with your business, the time is long overdue to review your information security policy to ensure your company is in full compliance with the regulations by March 1.

The regulations require a company to maintain an information security policy with appropriate safeguards as further set forth in the regulations. Among the additional provisions set forth in the regulations are the requirements that companies take appropriate steps in overseeing third party service providers that handle personal information and encrypt personal information under certain circumstances. Previous Cooley Alerts from November 2008, February 2009 and September 2009 provide a more detailed overview of the original regulations and the subsequent changes and delays.

For companies familiar with the FTC's Identity Theft Red Flags Rule1, 201 CMR 17.00 is similar in that both require written policies intended to make companies address and identify risks aimed at preventing identity theft; both have been subject to repeated delays to allow for sufficient awareness and to address concerns and confusion among companies as to who is covered and what is required; and both are likely to see an end to the delays and the beginning of enforcement in 2010.

If you have any questions regarding any of our Alerts or how the regulations discussed herein could affect your company, please contact one of the attorneys listed above.


1 16 CFR 681.1

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.