Massachusetts Amends Strict Data Privacy Law (Again)


UPDATE: Another revision was published on November 5, 2009. See: Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)

The Massachusetts’ Office of Consumer Affairs and Business Regulation has decided to amend the strict data privacy law and extend the deadline for compliance. This is yet another amendment to the regulations. The last amendment had extended the compliance deadline to January 1, 2010.

In keeping with Governor Deval Patrick’s commitment to balancing consumer protection with the needs of small business owners, the adjustments to Massachusetts’ identity theft regulations allow some flexibility in compliance by small businesses. The regulations now have a risk-based approach that may make it easier on small businesses that may not handle a lot of personal information about customers. Under a risk-based approach, a business, in developing a written security program, can take into account its size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations.

Key amendments to 201 CMR 17.00 include:

Section 17.01 (1) Purpose of the regulation was amended to include language from M.G.L. 93H.

Section 17.01 (2) Scope of the regulations was revised to cover “persons who own or license personal information”. Section removes previous regulatory language related to those that “store or maintain personal information”.

Section 17.02 Encryption definition was amended to be technology neutral. A definition for the term “owns and licenses” was added to focus the protection of personal information in “connection with the provision of goods or services or in connection with employment”. A new definition for the term “service provider” was added.

Section 17.03 (1) Duty to protect rules look to address size and scope of a firm within the development and implementation of a written information security plan. (2) Amends and removes some requirements for the written information security plan. (f) Amends third party vendor rules and provides a two year window relative to contracts and requirements for compliance.

Section 17.04 Amends computer requirements for persons that own or license personal information to develop a written information security plan “that at a minimum, and to extent technologically feasible, shall have the following elements”.

Section 17.05 Amends the effective date of the regulations to March 1, 2010.

There will be a hearing on the revised regulations commencing at 10:00 a.m. on Tuesday September 22, 2009, in Room No. 5-6, Second Floor of the Transportation Building, Ten Park Plaza Boston, Massachusetts 02116. Interested parties will be afforded a reasonable opportunity at the hearing to present oral or written testimony. Written comments will be accepted up to the close of business on September 25, 2009. Such written comments may be mailed to: Office of Consumer Affairs and Business Regulation, 10 Park Plaza, Suite 5170, Boston, MA 02116, Attention: Jason Egan, Deputy General Counsel, or e-mailed to


, ,

7 Responses to Massachusetts Amends Strict Data Privacy Law (Again)

  1. Patrick Engelman August 21, 2009 at 2:10 pm #

    One omission from their FAQ on the changes is the fact that the 3rd party contract requirement (which had been removed in an earlier revision) has been re-added — this basically says that any time a third party has access to personal information, that third party must be contractually obligated to protect that information.

    • Anonymous January 28, 2010 at 1:12 pm #

      Hi Patrick,

      It’s Brian Wheeler from WBZNewsRadio Radio in Boston. I’d like to ask you a few questions about this law an your experience in compliance assistance. You can reach me at 617-787-7591.


  2. Jennifer March 17, 2010 at 10:50 am #

    Does this law apply to Vermont businesses who employee Massachusetts residents?

    Thank you.
    Jennifer LoCascio

  3. Jennifer March 17, 2010 at 10:51 am #

    Does this law affect Vermont businesses with Mass residents?

    • Doug Cornelius March 17, 2010 at 11:04 am #

      I assume that you have the social security numbers for those Massachusetts residents. That means it applies to you and that information.


  1. Massachusetts Amends Its Strict Data Privacy Law (Yet, Again) | Compliance Building - November 5, 2009

    […] Massachusetts Amends Strict Data Privacy Law (Again) […]

  2. Today is the Deadline for the Massachusetts Data Privacy Law | Compliance Building - March 1, 2010

    […] Massachusetts Amends Strict Data Privacy Law (Again) […]