On February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation issued a revised version of its information security regulations and extended the compliance deadline from May 1, 2009 to January 1, 2010. This is the second time Massachusetts has extended the deadline; previously, the deadline was changed to May 1, 2009 in consideration of the economic climate.  

Changes to the Regulations  

In addition to extending the compliance deadline, Massachusetts made several substantive changes to the requirements. The regulations previously required businesses to obtain written certifications from service providers with access to personal information stating that they had implemented a written, comprehensive information security program in compliance with the regulations. The prior version of the rule also required that businesses get contractual representations from such service providers regarding their safeguards for personal information. Those requirements have been eliminated, but other requirements related to service providers were retained. Accordingly, businesses must take all reasonable steps to (1) “verify that any third-party service provider with access to personal information has the capacity to protect such personal information” in the manner provided for by the regulations and (2) “ensure that such third party service provider is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information” under the regulations.  

The revised regulations also clarify the encryption requirements for data in transmission, applying the requirements to “all transmitted records and files containing personal information that will travel across public networks” and “all data containing personal information to be transmitted wirelessly.” Previously, the encryption requirements had applied to “all transmitted records and files containing personal information that will travel across public networks” and “all data to be transmitted wirelessly,” without limiting such data to those containing personal information.  

Retention of Other Requirements  

The regulations retain other key requirements, including the mandates for organizations that maintain personal information, to develop and implement a comprehensive, written information security program; identify all records, systems and storage media that contain personal information; conduct an annual review of security measures; use secure user authentication protocols and secure access control measures; and adhere to other technical requirements.  

For more information regarding the scope and requirements of these Massachusetts regulations, please see our previous Client Alert here.