February 18, 2009
Massachusetts Extends Deadline for Compliance with Data Security Regulations to January 1, 2010
On February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) amended the Commonwealth’s Data Security Regulations (201 C.M.R. 17.00) (the “Regulations”). The Regulations mandate that any entity that stores personal information (a combination of name and Social Security number, bank account number, or credit card number) of Massachusetts residents must encrypt the information when the information is stored on portable devices, or transmitted wirelessly or on public networks. For a detailed description of compliance standards, see our previous alerts (January 22, 2008, October 2, 2008, October 31, 2008, and January 30, 2009).
The amendments to the Regulations come following widespread criticism of the Regulations’ implementation schedule and substantive language. In particular, critics alleged that complying with the Regulations by May 1, 2009 (the compliance deadline prior to the recent amendments) would impose a heavy financial burden on covered entities, and implementation was not feasible for many businesses.
Critics also focused on the Regulations’ requirements regarding third-party service providers. Prior to the recent amendments, the Regulations required covered entities to amend their contracts with service providers to include language stating that the service providers maintained safeguards for personal information in contracts with third-party service providers. The Regulations also required covered entities to obtain written certification from third-party service providers that the service providers have a written, comprehensive information security program that complies with the Regulations. Also, covered entities were required to obtain these contract provisions and certifications prior to any access to Massachusetts residents’ personal information by the service provider.
The recent amendments to the Regulations address both of these issues. Specifically, the amendments consist of the following changes:
- The general compliance deadline is now January 1, 2010 (rather than May 1, 2009). The deadline for encrypting personal information on all portable devices, including laptops, is also January 1, 2010 (rather than May 1, 2009, for laptops).
- Covered entities must take “all reasonable steps” to verify that third-party service providers with access to personal information have “the capacity to protect such information.” The Regulations no longer require covered entities to obtain written certification from third-party service providers, or to contractually require service providers to maintain safeguards for personal information, but the amendments do require that covered entities “ensure” that service providers apply “at least as stringent” controls as those in 201 CMR 17.00 to the personal information of Massachusetts residents.
The amended Regulations do not change the requirement that covered entities have a written comprehensive information security plan, nor do the amendments change the Computer System Security Requirements.
The full text of the amended Regulations can be found here. Any company with personal information of Massachusetts residents should become familiar with the Regulations’ provisions in order to comply with the requirements prior to the effective date of January 1, 2010. Mintz Levin’s Data Security Group can serve as a resource. Our attorneys have extensive experience in assisting clients with regulatory compliance in volatile environments. Should you have any questions, feel free to contact us.
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
This communication may be considered attorney advertising under the rules of some states. The information and materials contained herein have been provided as a service by the law firm of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. to its clients and friends; however, the information and materials do not, and are not intended to, constitute legal advice. Neither transmission nor receipt of such information and materials will create an attorney-client relationship between the sender and receiver. The hiring of an attorney is an important decision that should not be based solely upon advertisements or solicitations. Users are advised not to take, or refrain from taking, any action based upon the information and materials contained herein without consulting legal counsel engaged for a particular matter. Furthermore, prior results do not guarantee a similar outcome.
list is maintained at Mintz Levin’s main office, located at One Financial
Center, Boston, Massachusetts 02111. If you no longer wish to receive electronic
mailings from the firm, please visit http://
For assistance in this area, please contact one of the attorneys listed below or any member of your Mintz Levin client service team.
Cynthia Larose, CIPP
Julia M. Siripurapu