On February 11, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) announced that the effective compliance date of the security regulation, 201 CMR 17.00 (the “Regulation”), has been extended a second time from May 1, 2009 to January 1, 2010.
By January 1, 2010 regulated entities must now take “all steps” reasonable to verify that third party service providers are protecting personal information in compliance with the Regulation. While the amendment technically eliminated the provision requiring companies to contractually ensure third party compliance, nevertheless contractual requirements, including new reps and warrantees, will as a matter of sound practice be needed by January 1, 2010. Fortunately, the amendment does remove the separate written certification requirement that was to have been required of third party vendors.
The new deadlines under the Regulation are:
- The general compliance deadline for 201 CMR 17.00 has been extended from May 1, 2009 to January 1, 2010.
- The deadline for ensuring that third-party service providers are capable of protecting personal information has been extended from May 1, 2009 to January 1, 2010.
- The deadline for ensuring encryption of personal data stored on laptops and portable devices is made the same and is January 1, 2010.
Note that this extension of the compliance date of the Regulation does not affect the Federal Trade Commission’s compliance date of May 1, 2009 for the federal Red Flag Rules.
Click here to view the official release announcing the deadline extension.