The revised regulations extend the compliance deadline to March 1, 2010, and make an effort to lessen the burden on small business.
On August 17, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) released a revised 201 CMR 17, the Standards for the Protection of the Personal Information of Residents of the Commonwealth (the Regulations). The Regulations are part of Massachusetts’ comprehensive effort to combat the growing problem of identity theft. The Regulations apply to all persons that receive, maintain, process or otherwise have access to “personal information” in connection with providing goods or services or in connection with employment. The Regulations require minimum safeguards to ensure protection of such personal information, which the Regulations define as a Massachusetts resident’s first name and last name (or first initial and last name) in combination with one or more of the following: the resident’s Social Security number; driver's license number or state-issued identification card number; or a financial account, credit or debit card number.
According to OCABR Undersecretary Barbara Anthony, the changes reflect the input of small business leaders and represent a “fair balance between consumer protections and business realities.” Major revisions to the Regulations include the following:
- Extending the compliance deadline to March 1, 2010
- Narrowing the application of the Regulations to those who own, license, store or maintain personal information in connection with providing goods or services or in connection with employment (formerly, the Regulations covered any person that owns, licenses, stores or maintains personal information regardless of the purpose—obviously a wider net)
- Further clarifying that the Regulations permit businesses to take a risk-based approach to determining what are appropriate administrative, technical and physical safeguards (many see this as further clarification that smaller, lower-risk businesses can have more limited security programs)
- Withdrawing some of the more onerous elements formerly required of the written information security policies—for example, the revised Regulations eliminate the requirement that businesses engage in ongoing “monitoring” of their security programs
- Redefining the term “encryption” to make it technologically neutral
- Making “technical feasibility” a criterion for all requirements related to computer security
- Revising provisions applicable to third-party vendors
Stay tuned in the coming weeks for a more detailed article describing the complete substance of the revised Regulations and how they likely will affect those who do business in Massachusetts. In the meantime, however, businesses should not be lulled into a false sense of security that the burden of these Regulations has been lifted. All businesses—even small businesses—should continue to evaluate whether and to what extent they receive, maintain, process or otherwise have access to “personal information,” and then take all necessary steps between now and March 1, 2010, to implement appropriate safeguards and a written security program that will protect that information.