Wednesday, January 7, 2009

MA Data Protection Law - Deadline Extended to May 1, 2009

The new law will affect just about all businesses in Massachusetts: 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth. The good news is that the General Compliance Deadline has been extended from January 1, 2009 to May 1, 2009.

The regulation states that "Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information. Such comprehensive information security program shall be reasonably consistent with industry standards, and shall contain administrative, technical, and physical safeguards to ensure the security and confidentiality of such records".

"Personal information" is defined as: "(a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number."

"Person," is defined as: "a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof."
Basically, this regulation applies to every business in Massachusetts.

In November, the Office of Consumer Affairs and Business Regulation issued a press release announcing an extension of the deadline:

  • The general compliance deadline has been extended from January 1, 2009 to May 1, 2009
  • The deadline for requiring written certification from third-party providers will be further extended to January 1, 2010
  • The deadline for ensuring encryption of portable devices (other than laptops) has been further extended to January 1, 2010.

This gives all businesses some more time to comply.

No comments: