February 12, 2009 - The Massachusetts Office of Consumer Affairs and Business Regulation ("OCABR") announced that the data security rules issued pursuant to Massachusetts' data breach law had been revised and that implementation of the rules has been delayed until January 1, 2010. The rules had been scheduled to take effect on May 1, 2009.
Under the previous version of the rules, businesses would have to contractually require third party service providers to maintain appropriate safeguards for personal information and obtain written attestations of compliance with the Mass. rules from those service providers. The revised rules state that businesses shall "take all reasonable steps" to verify that third party service providers comply with the data security regulations. The rules were also revised to require, "to the extent feasible," "encryption of all data containing personal information to be transmitted wirelessly."
A copy of the new rules can be found at the OCABR website.