Featured Publications

Government Contracts: Alert - November 12, 2009

On November 30, 2009, the Supreme Court will hear oral argument in Graham County Soil & Water Conservation District v. United States ex rel. Wilson, a qui tam action brought under the False Claims Act (FCA) and appealed from a Fourth Circuit decision. The Court will use the case to resolve a split among the circuits over the scope of the FCA's "public disclosure" bar. A decision affirming the Fourth Circuit could increase qui tam litigation against any organization that does business with, or receives federal money through, federal, state and local governmental entities – and would further expand the reach of the FCA to any state or local program involving the use of federal funds.

More

Holland & Knight Forms National Health Care Reform Task Force

As Congress debates the specifics of national health care reform, Holland & Knight has established a Health Care Reform Task Force to help clients around the country address the reform issues and changing federal policy.

More

Search Our Library

Search

  • Print Article
  • Email this page to a friend
  • Print Newsletter / Alert
Intellectual Property and Technology
Alert - August 19, 2009
 
Massachusetts ID Theft Regulation Revised: Deadline Extended to March 1, 2010 and Compliance Obligations Updated
 
 August 19, 2009
 
Maximillian James "Max" Bodoin- Boston
Ieuan Mahony - Boston

On August 17, 2009, the Office of Consumer Affairs and Business Regulation (OCABR) announced: (1) an extension on the deadline for compliance with 201 CMR 17:00 (Regulation 201); and (2) further revisions to the Regulation. Considered by advocates to be a landmark in data security regulations, Regulation 201 establishes standards for the protection of personal information of Massachusetts residents.

Under Regulation 201, certain entities that possess “personal information” about residents of the Commonwealth are obligated to develop, implement and maintain a comprehensive security program that is written in one or more readily accessible parts. Covered entities include, for example, any person, corporation, association, partnership or other legal entity (and expressly excludes certain governmental organizations). Personal information is defined as a Massachusetts resident’s (1) first name and last name, or first initial and last name, in combination with (2) any one or more of the following data elements that relate to a particular resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, credit card number or debit card number.

In the announcement, OCABR stated that the revisions to Regulation 201 were designed to maintain protections while reinforcing compliance flexibility for small businesses. Undersecretary Barbara Anthony stated that the “updated regulations feature a fair balance between consumer protections and business realities.” Regulation 201 has been strongly criticized by various industry groups.

With the revisions, OCABR emphasized that a covered entity must perform a risk assessment in creating and implementing its written information security program, as well as in enforcing its program. According to the announcement, the “[n]ew language in the regulations recognizes that the size of a business and the amount of personal information it handles plays a role in the data security plan the business creates. The new language requires safeguards that are appropriate to the size, scope and type of business handling the information; the amount of resources available to the business; the amount of stored data; and the need for security and confidentiality of both consumer and employee information.”

Among the revisions to Regulation 201, OCABR has extended the compliance deadline to March 1, 2010. The revised compliance deadline is the third extension OCABR has made.

Other key amendments include changes to the steps that covered entities must take when engaging third parties to handle records containing personal information, deleting the provision addressing how long covered entities can retain records containing personal information, and relaxing covered entities’ obligations to inventory its existing records.

If you have any questions about the revisions to Regulation 201, or would like assistance in your compliance efforts, Holland & Knight attorneys can advise you on these issues.

Related Practices