On February 11, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) announced that the effective compliance date of the security regulation, 201 CMR 17.00 (the “Regulation”), has been extended a second time from May 1, 2009 to January 1, 2010.  

Businesses now have a little over 10 months from now to comply with the Regulation. As we reported in our previous Client Advisories (Extension of Robust New Massachusetts Security Rules - What is Needed Now to Comply by May 1, New Massachusetts Guidelines for Mandatory Computer Security Policies, and Information Security Breaches and Appropriate Responses - New Mandatory Security Rule in Massachusetts and Privacy Policy in Connecticut) the Regulation requires any business, regardless of size and location, that owns, licenses, stores or maintains “personal information” of Massachusetts residents, including customers, employees, and others, to develop or revise its existing security policies, to amend third party contracts, and to implement encryption and other safeguards to satisfy the new Massachusetts requirements.

By January 1, 2010 regulated entities must now take “all steps” reasonable to verify that third party service providers are protecting personal information in compliance with the Regulation. While the amendment technically eliminated the provision requiring companies to contractually ensure third party compliance, nevertheless contractual requirements, including new reps and warrantees, will as a matter of sound practice be needed by January 1, 2010. Fortunately, the amendment does remove the separate written certification requirement that was to have been required of third party vendors.

The new deadlines under the Regulation are:

  • The general compliance deadline for 201 CMR 17.00 has been extended from May 1, 2009 to January 1, 2010.
  • The deadline for ensuring that third-party service providers are capable of protecting personal information has been extended from May 1, 2009 to January 1, 2010.
  • The deadline for ensuring encryption of personal data stored on laptops and portable devices is made the same and is January 1, 2010.

Note that this extension of the compliance date of the Regulation does not affect the Federal Trade Commission’s compliance date of May 1, 2009 for the federal Red Flag Rules.

Click here to view the official release announcing the deadline extension.