Featured Publications

Labor, Employment and Benefits: Alert - May 16, 2012

A federal district court in Washington, D.C., ruled on May 14, 2012, that the National Labor Relations Board's revised union representation election rule that went into effect on April 30 is invalid because the NLRB lacked a quorum for the final vote that approved the rule.

More

Education: Alert - May 17, 2012

Every university, college or educational institution that operates a broadcast station must renew its federal broadcasting license. Failure to file a license renewal application on time may cause significant regulatory problems, including possible loss of license.

More

Search Our Library

Search

  • Print Article
  • Email this page to a friend
  • Print Newsletter / Alert
Intellectual Property and Technology
Alert - November 17, 2009
 
Final Massachusetts ID Theft Regulation Filed — Additional Compliance Requirements Announced
 
 November 17, 2009
 
Maximillian J. Bodoin- Boston
Ieuan Mahony - Boston

Governor Patrick’s Office of Consumer Affairs and Business Regulation (OCABR) announced on November 4, 2009, that it has filed the final Massachusetts ID Theft Regulation, also known as 201 CMR 17:00 (“Regulation 201”). Regulation 201 establishes standards for the protection of personal information of Massachusetts residents. The final form of Regulation 201 differs from the previous version in that it now obligates covered entities to amend existing agreements with third-party service providers that they engage to handle personal information.

The goal of Regulation 201 is to help combat the loss of personal information. “In two years, Massachusetts residents have had to deal with the personal chaos of lost or stolen personal information more than one million times,” stated OCABR Undersecretary Barbara Anthony. “We hope these regulations will make it harder for information to get into the wrong hands, and lower the number of instances of data being lost or stolen.” Along with the announcement, OCABR released a report detailing 807 breach incident notifications it received since notification became mandatory two years ago.

Revisions to Regulation 201

The most significant change to Regulation 201 is a requirement that covered entities amend existing agreements that they have with third-party service providers to include language requiring these providers to implement and maintain “appropriate” security measures for the protection of personal information. Covered entities have until March 12, 2012, to amend existing agreements or any agreements entered into before March 10, 2010. Agreements entered into after March 10, 2010, must have the new provision to be in compliance. Examples of third-party service providers may include offsite record storage companies, 401(k) program administrators and outside legal counsel.

The revisions also include the removal of the reference to the U.S. Postal Service from the definition of “Service Provider” and the addition of “storing” to the list of activities that trigger compliance obligations.

Need Help Developing an Information Security Program?

Holland & Knight attorneys have developed a baseline, fixed-fee Regulation 201 compliance package designed to assist covered entities in preparing and implementing an Information Security Program.

About the Editors

Related Practices