The Massachusetts' Office of Consumer Affairs & Business Regulation (OCABR) announced today that it would extend the January 1, 2009 compliance date for its data security regulations (201 CMR 17.00), citing the need to provide flexibility to businesses that may be experiencing financial challenges brought on by national and international economic conditions.

OCABR extended the general compliance deadline from January 1, 2009 to May 1, 2009, and specifically noted that businesses developing plans to comply with the FTC's Red Flag rules (which have the same May 1, 2009 deadline) could prepare their data security plan concurrently to save costs.

OCABR also extended the deadline for ensuring that third-party service providers are capable of protecting personal information to May 1, 2009, and the deadline for written certification from third-party providers to January 1, 2010.

Finally, OCABR extended the deadline for the encryption of laptops to May 1, 2009, and the deadline for ensuring encryption of other devices such as PDAs, memory sticks, and DVDs to January 1, 2010, recognizing that laptops are more easily encrypted than those types of media.

At the same time, OCABR also stated that it planned to continue its outreach and educational initiatives, which indicates that additional guidance regarding compliance may be forthcoming.