On August 17, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) revised the Commonwealth’s identity theft regulations again by extending the effective date to March 1, 2010, and easing compliance requirements for small businesses by clarifying that the regulations are risk-based in implementation, which allows businesses to take into account factors such as the size and scope of the business when developing a written security program. OCABR also amended the definition of “encryption” to be technology neutral and eased third-party service provider requirements by providing a two-year window for compliance and making the requirements consistent with federal law. The original regulations had required businesses to select and retain third-party service providers capable of maintaining safeguards for personal information and to require, via contract, that these service providers maintain such safeguards. Additionally, prior to allowing third-party service providers access to personal information, businesses were to obtain from the service provider written certification stating that the service provider has a written, comprehensive information security program in compliance with Massachusetts identity theft regulations.
The Massachusetts regulations compel all businesses to develop, implement, and maintain, a comprehensive, written security program for paper and electronic records that contain personal information about Massachusetts residents. Personal information is defined as a Massachusetts resident’s first name or initial and last name combined with a Social Security number, driver’s license or state-issued identification card number, credit or debit card number, or financial account number. They also provide for specific security requirements for computer systems such as the encryption of all personal information stored on laptops, flash drives and other portable devices, and all wirelessly transmitted data containing personal information. The text of the regulations can be found at: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf.