Massachusetts ID Theft Regulation Amendment: Compliance Deadline Extended to January 1, 2010

On Thursday, February 12, 2009, the Office of Consumer Affairs and Business Regulation issued a revised version of 201 CMR 17:00 (“Regulation 201”) – the Standards for the Protection of Personal Information of Residents of the Commonwealth. Under Regulation 201, certain entities that possess “personal information” about residents of the Commonwealth are obligated to develop, implement, maintain and monitor a comprehensive, written information security program designed to protect such personal information. The recent amendment to Regulation 201 extended the compliance deadline from May of 2009 until January 1, 2010. The amendment also included revisions to the steps that a covered entity must take with respect to ensuring that its third-party service providers comply with Regulation 201.

In the amendment’s announcement, the undersecretary of the Office of Consumer Affairs and Business Regulation was quoted as saying: “It is time for business and other holders of personal information to ensure that consumers’ information is kept safe.” The Undersecretary’s statement reinforces the importance of compliance and the Commonwealth’s dedication to protecting its residents’ personal information. The extension provides covered entities with much-needed time in order to come into compliance with Regulation 201.

If you have any questions about the revisions to Regulation 201, or would like assistance in your compliance efforts, Holland & Knight attorneys can advise you on these issues.