Client Advisory – Second Extension of Robust New Extraterritorial Massachusetts Security Rules

On February 11, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) announced that the effective compliance date of the security regulation, 201 CMR 17.00 (the “Regulation”), has been extended a second time from May 1, 2009 to January 1, 2010.

Businesses now have a little over 10 months from now to comply with the Regulation. As we reported in our previous Client Advisories (Extension of Robust New Massachusetts Security Rules – What is Needed Now to Comply by May 1, New Massachusetts Guidelines for Mandatory Computer Security Policies, and Information Security Breaches and Appropriate Responses – New Mandatory Security Rule in Massachusetts and Privacy Policy in Connecticut) the Regulation requires any business, regardless of size and location, that owns, licenses, stores or maintains “personal information” of Massachusetts residents, including customers, employees, and others, to develop or revise its existing security policies, to amend third party contracts, and to implement encryption and other safeguards to satisfy the new Massachusetts requirements.

By January 1, 2010 regulated entities must now take “all steps” reasonable to verify that third party service providers are protecting personal information in compliance with the Regulation. While the amendment technically eliminated the provision requiring companies to contractually ensure third party compliance, nevertheless contractual requirements, including new reps and warrantees, will as a matter of sound practice be needed by January 1, 2010. Fortunately, the amendment does remove the separate written certification requirement that was to have been required of third party vendors.

The new deadlines under the Regulation are: