Massachusetts Data Security Regulations are Delayed and Amended
On February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation issued a revised version of the Commonwealth’s new data security regulations on the Standards for the Protection Personal Information of Residents of the Commonwealth, as set forth in 201 CMR 17.00 (the “Regulations”). The Regulations impose very strict – and specific – data security requirements for all businesses processing personal information. The new version of the Regulations makes two major changes and one clarification.
First, most significantly, the effective date of the regulations has been changed to January 1, 2010. The bulk of the Regulations had been scheduled to take effect on May 1, 2009, so now companies will have more time for compliance.
Second, there have been significant changes to the provisions of the Regulations concerning vendor management. The prior version of the Regulations contained a lot of specific rules about company’s interactions with all vendors or service providers having access to the company’s Personal Information (each, a “Vendor”). Specifically, the prior version of the Regulations had obligated companies to (i) select Vendors capable of complying with the safeguards contained in the Regulations, (ii) contractually obligate the Vendors to so comply and (iii) obtain written certifications of compliance from the Vendors. Under the new version of the Regulations, the specificity has come out and, instead, companies will be required to take all reasonable steps to verify that all Vendors have the capacity to protect Personal Information in the manner provided for in the Regulations and to take all reasonable steps to ensure that the safeguards being taken by the Vendors are at least as stringent as those required to be applied to Personal Information under the Regulations.
As a final change, the revisions make a clarification to the provision that mandates encryption for information that is transmitted wirelessly. The revised Regulations clarify that such requirements apply to Personal Information, as defined by the Regulations, and not the previously used term of “data”, which, theoretically, could have been interpreted more broadly.
With the effective data pushed back to January 1, 2010, companies will now have more time to get their policies, systems and contracts in order. The changes to the provisions regarding dealing with vendors and, specifically, vendor certifications, will remove some of the administrative burdens for companies covered by the rules, however, for most companies, the requirements of the regulations will necessitate significant changes in a number of different areas. Accordingly, continued focus on compliance efforts is recommended.
Comments
Leave a Reply
This website, which may be considered advertising under the ethical rules of certain jurisdictions, is provided with the understanding that it does not constitute the rendering of legal advice or other professional advice. The views expressed on this blog are my personal views alone and do not necessarily reflect views of my employer.
-
ABOUT
Jacqueline Klosek, Senior Counsel in the Business Law Department of Goodwin Procter LLP, is a frequent author and commentator on data privacy and security. You can email her at jacquelineklosek@gmail.com -
BOOKS
