Why Mass. 201 CMR 17 Deadline Was Extended
Companies that live or do business in Massachusetts have a few extra months to meet compliance deadlines for the state's tough 201 CMR 17 data protection law. The simple reason: Too few understand the law to meet the original January deadline (Part 1 in a series)
By Bill Brenner , Senior Editor
November 24, 2008 — CSO —
Editor's note: For a complete audio transcript of the recent National Information Security Group (NAISG) discussion on 201 CMR 17, visit our podcast page.
The reason for the extension -- and subsequent relief -- is simple. Too many companies are in the dark about 201 CMR 17.00 (Standards for The Protection of Personal Information of Residents of the Commonwealth) to meet a January compliance deadline.
Those who do understand the law say there's too much to do to meet the original compliance deadline, and believe the deadline will get extended again.
"There may be issues with implementation, language and discrepancies between what various state documents say," National Information Security Group (NAISG) board director Jack Daniel said during a group discussion on the law last week in Waltham, Mass.
Issued in September, the regulations require that businesses encrypt documents sent over the Internet or saved on laptops or flash drives, encrypt wirelessly transmitted data, and deploy up-to-date firewalls to create "an electronic gatekeeper" between the data and the outside world that only allows authorized users to access or transmit data.
The regulations were initially set to take effect Jan. 1, but last week the state Office of Consumer Affairs and Business Regulation (OCABR) extended the deadline to May 1 "in light of intervening economic circumstances."
"These sensible measures are already widely used by many Massachusetts companies, but we recognize that some businesses currently facing economic uncertainties will benefit from having additional time to comply," Undersecretary of Consumer Affairs and Business Regulation Daniel C. Crane said in a written statement. "The action serves to provide flexibility to businesses working to implement the necessary measures to safeguard their customers' personal information in a timely manner."
Under the new deadline structure:
- The general compliance deadline for 201 CMR 17.00 is extended to May 1. The date is consistent with a new FTC Red Flag Rule requiring financial institutions and creditors to develop and implement written identity theft prevention programs, Crane said.
- Third-party service providers now have until May 1 to prove they are capable of protecting personal information and are contractually obligated to do so. Meantime, the deadline for requiring written certification from third-party providers will be further extended to Jan. 1, 2010.
- The deadline to encrypt all laptops will be extended from Jan. 1 to May 1, and the deadline to encrypt other portable devices will be further extended to Jan. 1, 2010.