November 17, 2009

Final Massachusetts ID Theft Regulation Filed – Additional Compliance Requirements Announced

Holland & Knight Alert
Maximillian J. Bodoin

Governor Patrick’s Office of Consumer Affairs and Business Regulation (OCABR) announced on November 4, 2009, that it has filed the final Massachusetts ID Theft Regulation, also known as 201 CMR 17:00 (“Regulation 201”). Regulation 201 establishes standards for the protection of personal information of Massachusetts residents. The final form of Regulation 201 differs from the previous version in that it now obligates covered entities to amend existing agreements with third-party service providers that they engage to handle personal information.

The goal of Regulation 201 is to help combat the loss of personal information. “In two years, Massachusetts residents have had to deal with the personal chaos of lost or stolen personal information more than one million times,” stated OCABR Undersecretary Barbara Anthony. “We hope these regulations will make it harder for information to get into the wrong hands, and lower the number of instances of data being lost or stolen.” Along with the announcement, OCABR released a report detailing 807 breach incident notifications it received since notification became mandatory two years ago.

Revisions to Regulation 201

The most significant change to Regulation 201 is a requirement that covered entities amend existing agreements that they have with third-party service providers to include language requiring these providers to implement and maintain “appropriate” security measures for the protection of personal information. Covered entities have until March 12, 2012, to amend existing agreements or any agreements entered into before March 10, 2010. Agreements entered into after March 10, 2010, must have the new provision to be in compliance. Examples of third-party service providers may include offsite record storage companies, 401(k) program administrators and outside legal counsel.

The revisions also include the removal of the reference to the U.S. Postal Service from the definition of “Service Provider” and the addition of “storing” to the list of activities that trigger compliance obligations.

Need Help Developing an Information Security Program?

Holland & Knight attorneys have developed a baseline, fixed-fee Regulation 201 compliance package designed to assist covered entities in preparing and implementing an Information Security Program.

Related Insights