Massachusetts Amends Strict Data Privacy Law (Again)


UPDATE: Another revision was published on November 5, 2009. See: Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)

The Massachusetts’ Office of Consumer Affairs and Business Regulation has decided to amend the strict data privacy law and extend the deadline for compliance. This is yet another amendment to the regulations. The last amendment had extended the compliance deadline to January 1, 2010.

In keeping with Governor Deval Patrick’s commitment to balancing consumer protection with the needs of small business owners, the adjustments to Massachusetts’ identity theft regulations allow some flexibility in compliance by small businesses. The regulations now have a risk-based approach that may make it easier on small businesses that may not handle a lot of personal information about customers. Under a risk-based approach, a business, in developing a written security program, can take into account its size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations.

Key amendments to 201 CMR 17.00 include:

Section 17.01 (1) Purpose of the regulation was amended to include language from M.G.L. 93H.

Section 17.01 (2) Scope of the regulations was revised to cover “persons who own or license personal information”. Section removes previous regulatory language related to those that “store or maintain personal information”.

Section 17.02 Encryption definition was amended to be technology neutral. A definition for the term “owns and licenses” was added to focus the protection of personal information in “connection with the provision of goods or services or in connection with employment”. A new definition for the term “service provider” was added.

Section 17.03 (1) Duty to protect rules look to address size and scope of a firm within the development and implementation of a written information security plan. (2) Amends and removes some requirements for the written information security plan. (f) Amends third party vendor rules and provides a two year window relative to contracts and requirements for compliance.

Section 17.04 Amends computer requirements for persons that own or license personal information to develop a written information security plan “that at a minimum, and to extent technologically feasible, shall have the following elements”.

Section 17.05 Amends the effective date of the regulations to March 1, 2010.

There will be a hearing on the revised regulations commencing at 10:00 a.m. on Tuesday September 22, 2009, in Room No. 5-6, Second Floor of the Transportation Building, Ten Park Plaza Boston, Massachusetts 02116. Interested parties will be afforded a reasonable opportunity at the hearing to present oral or written testimony. Written comments will be accepted up to the close of business on September 25, 2009. Such written comments may be mailed to: Office of Consumer Affairs and Business Regulation, 10 Park Plaza, Suite 5170, Boston, MA 02116, Attention: Jason Egan, Deputy General Counsel, or e-mailed to