Alerts and Updates

Massachusetts Modifies Its New Information Security Rules for Businesses and Extends the Compliance Deadline Again

August 19, 2009

The Massachusetts Office of Consumer Affairs and Business Regulation issued a press release on August 17, 2009, extending the deadline for compliance with the state's new information security regulations from January 1, 2010, to March 1, 2010, and updating the regulations to implement a more risk-based approach.

The regulations had required all businesses, regardless of size, that own, license, store or maintain personal information about a resident of Massachusetts to encrypt that information when stored on portable devices or transmitted wirelessly or on public networks, and adopt a comprehensive, written information security program. New language in the regulations now recognizes that the size of a business and the amount of personal information it handles is a factor in the data security plan the business creates. Hence, the regulations were modified so that the safeguards are appropriate to the size, scope and type of business handling the information; the amount of resources available to the business; the amount of stored data; and the need for security and confidentiality of both consumer and employee information.

The regulations were originally scheduled to take effect on January 1, 2009, and were then extended until May 1, 2009, and then January 1, 2010, prior to this latest extension.

For Further Information

If you have any questions regarding these regulations, including how they may affect your company, please contact Sandra A. Jeskie, a member of the Information Technologies and Telecom Practice Group or the lawyer in the firm with whom you are regularly in contact.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.