Under pressure from the business community, and citing current “economic uncertainties,” the Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) recently extended the deadline for compliance with the regulation on Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00) (“Standards”).
In our Management Alert issued on October 13, 2008, New Data Privacy and Security Standards Affecting Business with Information About Massachusetts Residents, you were informed that the Standards require every business that collects information on Massachusetts consumers or employees to adopt comprehensive standards for the protection of personal information. The Standards were initially set to take effect on January 1, 2009.
OCABR announced on November 14, 2008, that the implementation deadline was postponed and that the Standards would be phased in over the next thirteen months. The new deadlines are as follows:
- The general compliance deadline for the Standards was extended to May 1, 2009. OCABR noted in its press release that the May date is consistent with a new Federal Trade Commission (FTC) Red Flag Rule, which requires financial institutions and creditors to develop and implement written identity theft prevention programs. See our One Minute Memo® on October 13, 2008, Are You Prepared to Comply with New Identity Theft Regulations?. Businesses can now address the Standards and the FTC Red Flag Rule simultaneously.
- The deadline for ensuring that third-party service providers are capable of protecting personal information and contractually binding them to do so was also extended to May 1, 2009, and the deadline for requiring written certification from third-party providers was further extended to January 1, 2010.
- The deadline for ensuring encryption of laptops was extended to May 1, 2009 and the deadline for ensuring encryption of other portable devices was further extended to January 1, 2010. Referencing a recent data security study, OCABR noted that many data breaches reported to date relate to laptops, and that laptops are more easily encrypted than other portable devices such as memory sticks, DVDs, and PDAs.