Mass. Data Protection Law Amended, Deadline Extended (Again)

The Massachusetts Office of Consumer Affairs and Business Regulation on Thursday issued amendments, and an extension, to the state’s tough data security regulations, known as Mass. 201 CMR 17.

Under the extension, the rules will now take effect Jan. 1, 2010. This is the second time the deadline has been extended. It was previously set for May 1, 2009 — which was an extension on the original deadline of January 1, 2009. (See CSOonline’s explanation of the first extension here.)

The regulations mandate that personal information, a combination of a name along with a Social Security number, bank account number, or credit card number, be encrypted when stored on portable devices, or transmitted wirelessly or on public networks. Encryption of personal information on portable devices carrying identity data like laptops, PDAs and flash drives must also be completed by Jan. 1, 2010, and will ensure better protection of personal information.

“It is time for businesses and other holders of personal information to ensure that consumers information is kept safe,” said Daniel C. Crane, the Undersecretary of the Office of Consumer Affairs and Business Regulation, in a statement. “These new safeguards are fundamental standards that will keep information safer and will help businesses reinforce a vital sense of trust with customers.”

While officials gave no reason for the extension, it may come as no surprise to many businesses which have been critical of the mandates, believing they may be too costly and difficult for companies to implement. Security professionals in the area were thankful in November when they learned the deadline had been extended from January 2009 to May 2009.

The other news, the changes to the regulations, impact their standard for third party vendor relationships. Under the amendments, the following sections of the rules have been changed:

– Section 17.03 (6) Duty to Protect and Standards for Protecting Personal Information : Changes the standard for third party vendor relationships.

“Taking all reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.00; and taking all reasonable steps to ensure that such third party service provider is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17.00.”

-Section 17.04 Computer Security Requirements: imit the requirement for encryption to personal data transmitted over public networks or wireless communications.