The Commonwealth of Massachusetts released 201 CMR 17.00 in June 2009, which requires new safeguarding standards of entities that own, license, maintain, or store Massachusetts residents' personal information. Under the regulations, every entity that owns, licenses, maintains, or stores personal information about a Massachusetts resident would be required to develop comprehensive, written policies and procedures for safeguarding the information. Of course, this set of rules would apply to third-party service providers such as investment advisers.
Since its announcement, the effective date has been pushed back to March 1, 2010. The regulation, as revised, generally tracks the proposed rule amendments by the SEC to Regulation S-P. In its revisions, the Massachusetts Office of Consumer Affairs and Business Regulation made clear that the policy developed should depend, in part, on the size and nature of the entity developing the policy. Investment advisers would benefit from understanding the new Massachusetts regulations and should consider using them as the basis for reviewing their information security policies and procedures in advance of the changes to Regulation S-P.