Featured Publications

Healthcare & Life Sciences: NDAA: TRICARE Participation Does Not Trigger Affirmative Action Obligations Alert - January 30, 2012

On December 31, 2011, President Obama signed into law the National Defense Authorization Act, which includes a provision that healthcare providers are not subject to Department of Labor Office of Contract Compliance Programs (OFCCP) affirmative action requirements on the basis of participation in TRICARE, the Department of Defense’s healthcare program for the military.

More

Financial Institutions: Alert - January 31, 2012

The Dodd-Frank Wall Street Reform and Consumer Protection Act impacted many investment advisers who previously were not registered.

More

Search Our Library

Search

  • Print Article
  • Email this page to a friend
  • Print Newsletter / Alert
Intellectual Property and Technology
Alert - August 19, 2009
 
Massachusetts ID Theft Regulation Revised: Deadline Extended to March 1, 2010 and Compliance Obligations Updated
 
 August 19, 2009
 
Maximillian J. Bodoin- Boston
Ieuan Mahony - Boston

On August 17, 2009, the Office of Consumer Affairs and Business Regulation (OCABR) announced: (1) an extension on the deadline for compliance with 201 CMR 17:00 (Regulation 201); and (2) further revisions to the Regulation. Considered by advocates to be a landmark in data security regulations, Regulation 201 establishes standards for the protection of personal information of Massachusetts residents.

Under Regulation 201, certain entities that possess “personal information” about residents of the Commonwealth are obligated to develop, implement and maintain a comprehensive security program that is written in one or more readily accessible parts. Covered entities include, for example, any person, corporation, association, partnership or other legal entity (and expressly excludes certain governmental organizations). Personal information is defined as a Massachusetts resident’s (1) first name and last name, or first initial and last name, in combination with (2) any one or more of the following data elements that relate to a particular resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, credit card number or debit card number.

In the announcement, OCABR stated that the revisions to Regulation 201 were designed to maintain protections while reinforcing compliance flexibility for small businesses. Undersecretary Barbara Anthony stated that the “updated regulations feature a fair balance between consumer protections and business realities.” Regulation 201 has been strongly criticized by various industry groups.

With the revisions, OCABR emphasized that a covered entity must perform a risk assessment in creating and implementing its written information security program, as well as in enforcing its program. According to the announcement, the “[n]ew language in the regulations recognizes that the size of a business and the amount of personal information it handles plays a role in the data security plan the business creates. The new language requires safeguards that are appropriate to the size, scope and type of business handling the information; the amount of resources available to the business; the amount of stored data; and the need for security and confidentiality of both consumer and employee information.”

Among the revisions to Regulation 201, OCABR has extended the compliance deadline to March 1, 2010. The revised compliance deadline is the third extension OCABR has made.

Other key amendments include changes to the steps that covered entities must take when engaging third parties to handle records containing personal information, deleting the provision addressing how long covered entities can retain records containing personal information, and relaxing covered entities’ obligations to inventory its existing records.

If you have any questions about the revisions to Regulation 201, or would like assistance in your compliance efforts, Holland & Knight attorneys can advise you on these issues.

Related Practices