Massachusetts delays implementation date of new data security regulations

On November 14, 2008, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) extended the implementation deadline for the new identity theft prevention regulations designated in 201 Mass. Code Regs. 17.00 et seq. Unveiled by OCABR in September 2008, the regulations establish standards for how businesses must protect and store personal information of Massachusetts consumers. Specifically, the regulations require businesses to encrypt all personal information of Massachusetts residents transmitted across public networks or wirelessly, and such information that is stored on laptops or other portable devices. Originally set to take effect January 1, 2009, the regulations will now take effect upon a tiered deadline schedule in order to accommodate businesses that may be facing financial difficulties given the current economic climate.

Below follows the new deadlines:

• The general compliance deadline for 201 Mass. Code Regs. 17.00 et seq. has been extended from January 1, 2009 to May 1, 2009.
• The deadline for requiring third-party service providers to be capable and contractually bound to protect personal information has been extended from January 1, 2009 to May 1, 2009. Additionally, the written certification requirement from third-party providers has been extended from January 1, 2009 to January 1, 2010.
• The deadline for encrypting laptops has been extended from January 1, 2009 to May 1, 2009. The deadline for encrypting other portable devices, such as memory sticks, DVDs, and PDAs, has also been extended from January 1, 2009 to January 1, 2010.