Massachusetts ID Theft Regulation Revised: Deadline Extended to March 1, 2010 and Compliance Obligations Updated

On August 17, 2009, the Office of Consumer Affairs and Business Regulation (OCABR) announced: (1) an extension on the deadline for compliance with 201 CMR 17:00 (Regulation 201); and (2) further revisions to the Regulation. Considered by advocates to be a landmark in data security regulations, Regulation 201 establishes standards for the protection of personal information of Massachusetts residents.

Under Regulation 201, certain entities that possess “personal information” about residents of the Commonwealth are obligated to develop, implement and maintain a comprehensive security program that is written in one or more readily accessible parts. Covered entities include, for example, any person, corporation, association, partnership or other legal entity (and expressly excludes certain governmental organizations). Personal information is defined as a Massachusetts resident’s (1) first name and last name, or first initial and last name, in combination with (2) any one or more of the following data elements that relate to a particular resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, credit card number or debit card number.

In the announcement, OCABR stated that the revisions to Regulation 201 were designed to maintain protections while reinforcing compliance flexibility for small businesses. Undersecretary Barbara Anthony stated that the “updated regulations feature a fair balance between consumer protections and business realities.” Regulation 201 has been strongly criticized by various industry groups.

With the revisions, OCABR emphasized that a covered entity must perform a risk assessment in creating and implementing its written information security program, as well as in enforcing its program. According to the announcement, the “[n]ew language in the regulations recognizes that the size of a business and the amount of personal information it handles plays a role in the data security plan the business creates. The new language requires safeguards that are appropriate to the size, scope and type of business handling the information; the amount of resources available to the business; the amount of stored data; and the need for security and confidentiality of both consumer and employee information.”

Among the revisions to Regulation 201, OCABR has extended the compliance deadline to March 1, 2010. The revised compliance deadline is the third extension OCABR has made.

Other key amendments include changes to the steps that covered entities must take when engaging third parties to handle records containing personal information, deleting the provision addressing how long covered entities can retain records containing personal information, and relaxing covered entities’ obligations to inventory its existing records.

If you have any questions about the revisions to Regulation 201, or would like assistance in your compliance efforts, Holland & Knight attorneys can advise you on these issues.