Friday, December 05, 2008

Massachusetts Extends Deadline for Compliance with Personal Information Security Rules

This posting is from CCH Financial Privacy Law Guide.

The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has pushed back the deadline for compliance with standards for how businesses must protect and store consumers’ person information, it was announced on November 14.

Providing Flexibility to Businesses

The regulations (201 Code of Massachusetts Regulations Sec. 17.01 through 17.04) initially were set to take effect on January 1, 2009, but OCABR extended the deadline to provide flexibility to businesses that may be experiencing financial challenges brought on by national and international financial conditions.

“These sensible measures are already widely used by many Massachusetts companies, but we recognize that some businesses, currently facing economic uncertainties, will benefit from having additional time to comply,” said Undersecretary of Consumer Affairs and Business Regulation Daniel C. Crane.

“The action taken today serves to provide flexibility to businesses working to implement the necessary measures to safeguard their customers/ personal information in a timely manner.

According to the OCABR, the new compliance dates are consistent with the Federal Trade Commission’s recent delay of enforcement of the Red Flags Rules, which require financial institutions and creditors to develop and implement written identity theft prevention programs (72 Federal Register 63718—63775, November 9, 2008).

Information Security Program

The regulations, issued in September, require all businesses that own, license, store or maintain personal information about a resident of Massachusetts to develop, and monitor a comprehensive, written information security program applicable to any records containing that information.

The security program must include a computer security system under which businesses must encrypt documents sent over the Internet or saved on laptops or flash drives, encrypt wirelessly transmitted data, and utilize up-to-date firewall protection that creates an electronic gatekeeper between the data and the outside world and only permits authorized users to access or transmit data, according to preset rules. Also, businesses must take reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect the information.

Laptops and Portable Devices

While the deadline for ensuring encryption of laptops will be extended to May 1, 2009, the deadline for ensuring encryption of other portable devices will be further extended to Jan. 1, 2010. The OCABR noted that many reported data breaches have related to laptops, which are more easily encrypted than other portable devices such as memory sticks, DVDs and PDAs.

The deadline for requiring written certification from third-party providers will be further extended to Jan. 1, 2010, in order to ensure proper consumer protection and facilitate implementation without overburdening small businesses during harsh economic times.

Further information concerning the rules and the deadline for compliance will appear in CCH Privacy Law in Marketing.

No comments: