All Compliance Deadlines Under 201 CMR 17.00 Extended to January 1, 2010

Third Party Service Provider Requirements Relaxed

Deadline Extensions

On February 12, 2009, the Massachusetts Office of Consumer Affairs announced an extension of ALL deadlines for compliance with the Massachusetts Privacy Regulations (201 CMR 17.00).  All companies dealing with the personally identifiable information of a Massachusetts resident will need to comply with the regulations by January 1, 2010.
 
Third Party Service Provider Requirements

Prior Regulations:  All companies were required to bind third party service providers contractually to comply with the privacy regulations.

New Regulations:  The revised regulations require companies only to take reasonable steps to ensure that the third party service provider safeguards personally identifiable information in compliance with the statute.

What this Means to You

The amendment removes the significant hurdle of obtaining written contractual guarantees from third party service providers; however, the amendment does not eliminate the need for companies to reasonably ensure that third party service providers comply with the regulations.  All companies need to begin the process of discussing the regulations with third party service providers to ensure that the data protection program and policies employed by the providers reasonably comply with the regulations.

Prince Lobel’s Privacy Group remains uniquely positioned to assist your company in developing a compliant privacy policy and to assist you in evaluating third party service provider compliance under the regulations.

Here is a new list of all compliance deadlines:  

  • January 1, 2010 for general compliance.  This date has changed from the original deadline of January 1, 2009.
  • January 1, 2010 for ensuring that third party service providers are reasonably capable of providing safeguards for personal information.  This date has changed from the original deadline of January 1, 2009.
  • January 1, 2010 for encryption of company laptops.  This date has changed from January 1, 2009.
  • January 1, 2010 for the encryption of all other portable devices, aside from laptops, such as memory sticks and PDAs.  This date has changed from January 1, 2009.