8.28.2009 The Massachusetts Office of Consumers Affairs and Business Regulation revised its customer information security rule. In addition, it extended the compliance date from January 1, 2010, to March 1, 2010.

The revised regulation will require all persons that own or license personal information about a resident of Massachusetts to develop, implement and maintain a comprehensive, written information security program applicable to any records containing such personal information. Third-party service providers must be required by contract to implement and maintain appropriate security measures for personal information, but any contracts entered into before March 1, 2010, need not include this requirement until March 1, 2012. The revisions make a number of liberalizing changes and generally adopt a risk-based approach that takes into account the particular business’s size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security, as opposed to an approach that mandates every component of a program and requires its adoption regardless of the size and nature of the business and the amount of information that requires security.

Click http://www.mass.gov/?pageID=ocatopic&L=3&L0=Home&L1=Consumer&L2=Identity+Theft&sid=Eoca to access a Q&A about the rule.