Originally published March 3, 2009
Office of Consumer Affairs and Business Regulation extends time for compliance
The compliance deadline for new data security standards for Massachusetts' businesses has been extended by the Office of Consumer Affairs and Business Regulation (OCABR). The regulations will require all businesses and individuals that maintain personal information about Massachusetts residents to develop and implement a security program that is consistent with the new standards.
New Compliance Date
OCABR filed an amendment of its regulations, "Standards for the Protection of Personal Information of Residents of the Commonwealth," requiring any person or business that owns, licenses, stores, or maintains a Massachusetts resident's personal information to come into compliance by January 1, 2010. Most of the new information security requirements would have become effective on May 1, 2009.
Change on Verifying Compliance by Third-Party Service Providers
The amendment also changed a rule requiring businesses and individuals to take reasonable steps to verify that any third-party service provider with access to protected personal information has the capacity to protect such information as required by the regulations. This will require some sort of due diligence review of vendors' information security capabilities. Before the rule was amended, it would have expressly required each business to contractually require its vendor's compliance with the data security standards and to obtain a certificate of compliance before allowing the vendor to access protected information.
The revised rule is somewhat more vague. In place of the contract and certificate requirements, it says that a business must take "all reasonable steps" to ensure that its vendors apply security measures at least as protective as those required by the regulations. While obtaining a contractual requirement of compliance and a certificate of compliance would appear to be reasonable steps to ensure that a vendor is applying the required security measures, the new rule leaves uncertainty about whether those steps are more or less than sufficient to comply.
OCABR has published some guidance on how to establish an information security program, including a model program for small businesses, a compliance checklist and answers to frequently asked questions, which are available on OCABR's website, www.mass.gov/ocabr.
This update is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.