Featured Publications

Business and Tax: Alert - July 30, 2010

During its 2010 Session, the Florida Legislature passed legislation directing the Department of Revenue to implement a three-month amnesty program. Because Florida does not impose a personal income tax, the amnesty program would be of most interest to businesses, rather than individuals. The program applies to tax liabilities due prior to July 1, 2010.

More

Maritime : Alert - July 29, 2010

Our June 30, 2010 Maritime Alert reported the U.S. Supreme Court’s decision in Kawasaki Kisen Kaisho Ltd. et al. v. Regal-Beloit Corp. It explained how the Regal-Beloit decision would allow uniformity and predictability in the law governing the multimodal carriage of goods by not switching laws to the U.S. Carmack Amendment 49 U.S.C. § 11706 during the U.S. inland leg of multimodal carriage. It also indicated that a similar case, Royal & Sun Alliance Insurance, PLC v. Ocean World Lines, Inc., was pending in the Second Circuit.

More

Search Our Library

Search

  • Print Article
  • Email this page to a friend
  • Print Newsletter / Alert
Intellectual Property and Technology
Alert - August 19, 2009
 
Massachusetts ID Theft Regulation Revised: Deadline Extended to March 1, 2010 and Compliance Obligations Updated
 
 August 19, 2009
 
Maximillian James "Max" Bodoin- Boston
Ieuan Mahony - Boston

On August 17, 2009, the Office of Consumer Affairs and Business Regulation (OCABR) announced: (1) an extension on the deadline for compliance with 201 CMR 17:00 (Regulation 201); and (2) further revisions to the Regulation. Considered by advocates to be a landmark in data security regulations, Regulation 201 establishes standards for the protection of personal information of Massachusetts residents.

Under Regulation 201, certain entities that possess “personal information” about residents of the Commonwealth are obligated to develop, implement and maintain a comprehensive security program that is written in one or more readily accessible parts. Covered entities include, for example, any person, corporation, association, partnership or other legal entity (and expressly excludes certain governmental organizations). Personal information is defined as a Massachusetts resident’s (1) first name and last name, or first initial and last name, in combination with (2) any one or more of the following data elements that relate to a particular resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, credit card number or debit card number.

In the announcement, OCABR stated that the revisions to Regulation 201 were designed to maintain protections while reinforcing compliance flexibility for small businesses. Undersecretary Barbara Anthony stated that the “updated regulations feature a fair balance between consumer protections and business realities.” Regulation 201 has been strongly criticized by various industry groups.

With the revisions, OCABR emphasized that a covered entity must perform a risk assessment in creating and implementing its written information security program, as well as in enforcing its program. According to the announcement, the “[n]ew language in the regulations recognizes that the size of a business and the amount of personal information it handles plays a role in the data security plan the business creates. The new language requires safeguards that are appropriate to the size, scope and type of business handling the information; the amount of resources available to the business; the amount of stored data; and the need for security and confidentiality of both consumer and employee information.”

Among the revisions to Regulation 201, OCABR has extended the compliance deadline to March 1, 2010. The revised compliance deadline is the third extension OCABR has made.

Other key amendments include changes to the steps that covered entities must take when engaging third parties to handle records containing personal information, deleting the provision addressing how long covered entities can retain records containing personal information, and relaxing covered entities’ obligations to inventory its existing records.

If you have any questions about the revisions to Regulation 201, or would like assistance in your compliance efforts, Holland & Knight attorneys can advise you on these issues.

Related Practices