Deadline Extended: March 1, 2010 Proposed New Deadline for Data Seucity Compliance (MA)

Once again, businesses handling the personal information of a Massachusetts resident have been granted an extension to comply with the Massachusetts Data Security Regulations.  The proposed new deadline for compliance is March 1, 2010. Personal information is defined as first name (or initial) and last name, combined with social security number, bank account number, credit card number or other financial account number.
 
On August 17, 2009, the Office of Consumer Affairs and Business Regulation (OCABR) released revised regulations which Undersecretary Barbara Anthony believes will “feature a fair balance between consumer protection and business realities.”  According to OCABR, they listened to the concerns of small business leaders and “understand[s] that there were issues regarding the impact these regulations have on those companies.”
 
The new regulations adjust the compliance requirements to reflect the size, business scope, amount of stored data maintained by a company, the available resources to a company for compliance, and the need for security and confidentiality of both consumer and employee information. As a result, the new regulations are “risk based in implementation” rather than at the time of enforcement, which is a reversal of the previous regulation mandate.  This will allow businesses greater flexibility in tailoring an appropriate program that fits each individual business.
 
In addition, the regulations are now technology neutral, which is an acknowledgement that technical feasibility will play a role in determining what many businesses must do to protect data.  This is a welcome departure from the original regulations and an indication that OCABR recognizes the significant economic and practical issues facing many businesses, large and small, in complying with these regulations.
 
Despite this temporary reprieve for compliance, businesses handling the personal information of Massachusetts residents should begin the process of evaluating their data security measures and implementing the mandated comprehensive written information security program (“WISP”).  Prince Lobel’s Privacy Group is working with clients to provide the necessary guidance for developing and implementing WISPs and documenting compliance with the new regulations.
 
A public hearing on the proposed regulations will be held on September 22, 2009 at 10:00 AM at the Transportation Building, 10 Park Plaza, Boston, MA.  

Privacy Law Extension Dates

Massachusetts recently responded to an outcry from the business community in regard to the new privacy regulatiosn promulgated by the office of consumer affairs.  An earlier blog entry summarized the new requierements.  Here are the new deadlines:

Deadline Extension

The Office of Consumer Affairs and Business Regulation (OCABR) has extended its January 1, 2009 deadline for compliance with the newly promulgated Massachusetts privacy regulations.  According to OCABR, the extension of time will assist businesses in implementing the required measures during this economically uncertain time. 

The new standards deadlines are:

• May 1, 2009 for general compliance.  This has been changed from the original deadline of January 1, 2009.
• May 1, 2009 for ensuring that third-party service providers are capable of providing safeguards for personal information and for executing contracts with third-party providers to provide such safeguards.  This has been changed from the original deadline of January 1, 2009.
• May 1, 2009 for encryption of company laptops.  This date has changed from January 1, 2009.
• January 1, 2010 to receive written certification from third-party service providers that they have complied with the new Massachusetts privacy regulations.  This will assist businesses in educating their third-party service providers, many of whom may be located outside of Massachusetts, or, replace non-compliant third-party service providers as required by the regulations.  This date has been changed from January 1, 2009.
• January 1, 2010 for the encryption of all other portable devices, aside from laptops, such as memory sticks and PDAs.  This has been changed from January 1, 2009.

Most Museums in Massachusetts and even Museums outside of Massachusetts will need to comply with the regulations.  Any Museum that collects the personal information of a Massachusetts resident is subject to the regulations.  “Personal Information” refers to a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following:  (a) Social Security Number; (b) driver’s license number or state issued identification card number; or (c) financial account number, or credit card or debit card number.  If you collect any of this information int he course of accepting memberships, accepting donations or from sales in yuor retail shop or online store, you must comply.

Massachusetts Privacy Regs – JANUARY 1, 2009 DEADLINE

PLEASE READ!!  IMPORTANT INFORMATION!!

With little fanfare, or more importantly little notice, the Massachusetts issued a set of privacy regulations which will affect virtually any business dealing with the personal information of Massachusetts residents.  Regulations found at 201 CMR 17.00 of the Massachusetts code of regulations impose a strict set of requirements that must be met by January 1, 2009 to avoid non-compliance with the new privacy regulations.  Most museums will be required to meet the regulations.

Any business who collects deals with Massachusetts residents and collects the first and last name of a resident, or the first initial and last name of an individual, together with either (a) the resident’s social security number, (b) driver’s license or state identification number, or (c) financial account numbers or credit/debit card numbers is subject to these regulations.

The regulations require strict compliance.  A Museum will be forced to:

• Formulate a comprehensive written information security program (WISP), which must include, at a minimum, 12 provisions outlined in section 17.03 of the regulations;
• Meet specific computer system security requirements concerning secure user authentication protocols, secure access control measures, encryption measures, system monitoring measures and security software;
• Maintain an education and training program for all employees on the proper use of the security system and the importance of personal information;
• Ensure that all third party service providers with access to the personal information certify that it has a WISP in place and is capable of securing personal information.
• Update any employment manuals appropriately.

Without compliance, should a security breach occur, an institution could be subject to triple damages, costs and attorneys fees.  With the January 1, 2009 deadline fast approaching, Museums should review their privacy standards to ensure that their institutions meet the minimum regulatory requirements.