Data Security Standard Delayed to January 1, 2010Print PDF
Office of Consumer Affairs and Business Regulation extends time for compliance
The compliance deadline for Massachusetts’ new data security standards has been extended by the Office of Consumer Affairs and Business Regulation (OCABR). The regulations will require all individuals and businesses, regardless of location, that maintain personal information about Massachusetts residents to develop and implement a security program that is consistent with the new standards.
New Compliance Date
OCABR filed an amendment of its regulations, “Standards for the Protection of Personal Information of Residents of the Commonwealth,” requiring any person or business, regardless of location, that owns, licenses, stores, or maintains a Massachusetts resident’s personal information to come into compliance by January 1, 2010. Most of the new information security requirements would have become effective on May 1, 2009.
Change on Verifying Compliance by Third-Party Service Providers
The amendment also changed a rule requiring businesses and individuals to take reasonable steps to verify that any third-party service provider with access to protected personal information has the capacity to protect such information as required by the regulations. The amendment provides that a business must take “all reasonable steps” to ensure that its vendors apply security measures at least as protective as those required by the regulations. Prior to the amendment, the regulations required obtaining a contractual commitment and certificate of compliance from third-party vendors.
This advisory was prepared by Nutter’s Data Security Breach and Privacy Law practice group. For further information, please contact Alexander Glovsky or your attorney at Nutter.
This update is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.