Massachusetts Delays Implementation of New Data Security Regulations

17 November 2008 Publication

Legal News Alert: Privacy, Security & Information Management

On Friday, November 14, 2008, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) announced an extension of the compliance deadline for recently finalized data security standards. The new compliance dates are May 1, 2009, and January 1, 2010.

The new compliance deadlines are as follows:

May 1, 2009: Companies’ internal policies and practices must generally comply by May 1, 2009, and company laptops affected by the regulations must be encrypted by this date. Firms also have until May 1, 2009 to amend contracts with service providers, incorporating the data security requirements of the regulations but without the immediate need for written certification of service provider compliance.

January 1, 2010: Companies will have more than a year before they must obtain a written certification from service providers regarding compliance with the regulations. The January date also applies to the encryption of other portable devices, including USB memory sticks, PDAs, or DVDs.

The OCABR released the data security regulations (201 CMR 17.00) in late September 2008 and had anticipated a compliance date of January 1, 2009. While the official reason for the delay in compliance is to provide companies with flexibility during the current economic challenges, many companies likely would have missed the compliance dates, with potentially severe repercussions. Recently the Federal Trade Commission (FTC) delayed the enforcement date of its Red Flag Rules to May 1, 2009 because many companies were similarly unprepared. The OCABR selected the May 1, 2009 date for general compliance to coincide with the FTC’s deadline.

As with the FTC’s delay of the Red Flag Rule, this extension gives companies the opportunity to comply with increasing data security requirements in a less rushed, more careful manner. During the interim period, the OCABR anticipates providing further guidance and education to business regarding the regulations.


Legal News Alert is part of our ongoing commitment to providing up-to-the-minute information about pressing concerns or industry issues affecting our clients and colleagues. If you have any questions about this alert or would like to discuss this topic further, please contact your Foley attorney or the following:

Peter F. McLaughlin, CIPP
Boston, Massachusetts