ARTICLE
3 December 2008

Privacy And Security Alert: Breaking News--Massachusetts Extends Deadline To Comply With Data Security Standards To May 1, 2009

M
Mintz

Contributor

Mintz logo
Mintz is a general practice, full-service Am Law 100 law firm with more than 600 attorneys. We are headquartered in Boston and have additional US offices in Los Angeles, Miami, New York City, San Diego, San Francisco, and Washington, DC, as well as an office in Toronto, Canada.
Explore
Citing the difficult economic conditions, the Massachusetts Office of Consumer Affairs and Business Regulation today extended the deadline for compliance with standards for how businesses protect and store consumers; personal information.
United States Privacy
Person photo placeholder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Citing the difficult economic conditions, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) today extended the deadline for compliance with standards for how businesses protect and store consumers' personal information.

According to an OCABR press release, "These sensible measures are already widely used by many Massachusetts companies, but we recognize that some businesses, currently facing economic uncertainties, will benefit from having additional time to comply," said Undersecretary of Consumer Affairs and Business Regulation Daniel C. Crane. "The action taken today serves to provide flexibility to businesses working to implement the necessary measures to safeguard their customers' personal information in a timely manner."

The new deadlines are as follows:

  • The general compliance deadline for 201 CMR 17.00 has been extended from January 1, 2009 to May 1, 2009. The date is consistent with a new Federal Trade Commission (FTC) Red Flag Rule, which requires financial institutions and creditors to develop and implement written identity theft prevention programs. Businesses addressing the new FTC requirements can now address the state regulations during the same time frame.
  • The deadline for ensuring that third-party service providers are capable of protecting personal information and contractually binding them to do so will be extended from January 1, 2009 to May 1, 2009, and the deadline for requiring written certification from third-party providers will be further extended to January 1, 2010. This tiered deadline for requiring certification will ensure proper consumer protection and facilitate implementation without overburdening small businesses during harsh economic times.
  • The deadline for ensuring encryption of laptops will be extended from January 1, 2009 to May 1, 2009, and the deadline for ensuring encryption of other portable devices will be further extended to January 1, 2010. Many data breaches reported to date relate to laptops, and laptops are more easily encrypted than other portable devices such as memory sticks, DVDs, and PDAs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Mintz Levin Privacy And Security Group
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More