Once again, businesses handling the personal information of a Massachusetts resident have been granted an extension to comply with the Massachusetts Data Security Regulations. The proposed new deadline for compliance is March 1, 2010. Personal information is defined as first name (or initial) and last name, combined with social security number, bank account number, credit card number or other financial account number.
On August 17, 2009, the Office of Consumer Affairs and Business Regulation (OCABR) released revised regulations which Undersecretary Barbara Anthony believes will "feature a fair balance between consumer protection and business realities." According to OCABR, they listened to the concerns of small business leaders and "understand[s] that there were issues regarding the impact these regulations have on those companies."
The new regulations adjust the compliance requirements to reflect the size, business scope, amount of stored data maintained by a company, the available resources to a company for compliance, and the need for security and confidentiality of both consumer and employee information. As a result, the new regulations are "risk based in implementation" rather than at the time of enforcement, which is a reversal of the previous regulation mandate. This will allow businesses greater flexibility in tailoring an appropriate program that fits each individual business.
In addition, the regulations are now technology neutral, which is an acknowledgement that technical feasibility will play a role in determining what many businesses must do to protect data. This is a welcome departure from the original regulations and an indication that OCABR recognizes the significant economic and practical issues facing many businesses, large and small, in complying with these regulations.
Despite this temporary reprieve for compliance, businesses handling the personal information of Massachusetts residents should begin the process of evaluating their data security measures and implementing the mandated comprehensive written information security program ("WISP"). Prince Lobel’s Privacy Group is working with clients to provide the necessary guidance for developing and implementing WISPs and documenting compliance with the new regulations.
A public hearing on the proposed regulations will be held on September 22, 2009 at 10:00 AM at the Transportation Building, 10 Park Plaza, Boston, MA.
To learn more about these new privacy regulations, or for assistance in developing and implementing a WISP for your business, please contact the author of this Alert, Peter J. Caruso II at pcarusoii@princelobel.com or 617 456 8034.