Data Security Regulations Revised and PostponedPrint PDF
Massachusetts’ new information security standards have been revised by the Office of Consumer Affairs and Business Regulation (OCABR), and the compliance deadline has been extended until March 1, 2010. The regulation requires all individuals and businesses, regardless of location, that maintain personal information about Massachusetts residents to develop and implement an information security program that is consistent with the new standards. In its press release, OCABR said that the changes are meant to “reinforce flexibility in compliance by small businesses.”
New Compliance Date
OCABR announced an amendment of its regulation, “Standards for the Protection of Personal Information of Residents of the Commonwealth,” requiring any person or business, regardless of location, that owns, licenses, stores or maintains a Massachusetts resident’s personal information to come into compliance by March 1, 2010. The new information security requirements would have become effective on January 1, 2010.
Change to Standards for Third-Party Service Providers
The amendment also changed a rule that requires businesses and individuals to oversee compliance by third-party service providers with access to protected personal information. The revised rule requires that a business must oversee service providers by “taking reasonable steps to select and retain” vendors that are capable of maintaining appropriate security measures, and contractually requiring such vendors to maintain appropriate security measures. It appears that contracts entered into before March 1, 2010 will be grandfathered until March 1, 2012, and thereafter must be amended to include provisions concerning security measures, but there is some ambiguity in the revised regulation about the application of the rule to contracts entered into before the compliance deadline. In addition, the revised regulations define the term “service provider” to mean any person that receives, maintains, processes or otherwise has access to protected personal information through its provision of services directly to a person that is subject to the information security standards.
The amended regulation no longer expressly requires businesses and individuals to identify all paper and electronic records that contain protected personal information, or to
immediately prohibit terminated employees from accessing personal information physically or electronically. Rules requiring that businesses limit the amount of personal information collected, limit the employees who have access to the information, and limit the time such information is retained to that which is reasonably necessary have also been eliminated. Despite their removal from the regulation, those security measures may still be reasonably required to safeguard protected personal information based on the nature of the business of the person obligated to comply with the security standards.
Finally, the revised computer system security rules are now applicable only to the extent that they are technically feasible. According to new guidance from OCABR accompanying the revised regulation, the term “technically feasible” means that if there is a reasonable means to accomplish the security measure, then that reasonable means must be used. Prior to the amendment, the technical feasibility condition only applied to certain encryption requirements.
This advisory was prepared by Nutter’s Data Security Breach and Privacy Law practice group. For further information, please contact Alexander Glovsky or your attorney at Nutter.