February 13, 2009

Massachusetts Data Security Regulations Are Delayed and Amended – New Effective Date Is January 1, 2010

Yesterday, the Massachusetts Office of Consumer Affairs and Business Regulation issued a revised version of the new Massachusetts data security regulations on the Standards for the Protection of Personal Information of Residents of the Commonwealth, as set forth in 201 CMR 17.00 (the "Regulations"). As previously reported in Goodwin Procter’s September 29, 2008 and November 17, 2008 alerts, the regulations impose very strict – and specific – data security requirements for all businesses with personal information of Massachusetts residents. The amendments to the Regulations make two significant changes and one clarification.

First, the effective date of the Regulations has been changed to January 1, 2010. The bulk of the Regulations had been scheduled to take effect on May 1, 2009. Companies will have more time for compliance.

Second, there have been significant changes to the vendor management portions of the Regulations. The prior version of the Regulations contained specific rules regarding a company’s interactions with vendors and service providers having access to personal information of Massachusetts residents. Specifically, the prior version of the Regulations required companies to, among other things, contractually obligate vendors to comply with the Regulations (specifically referencing them) and to obtain written certifications of compliance from vendors. That level of specificity has been removed. The contractual provision requirement and vendor certification have been eliminated. .

Instead, companies will be required to take "all reasonable steps" to (i) verify that all vendors with access to personal information have the capacity to protect personal information in the manner provided for in the Regulations; and (ii) ensure that the "protective security measures" used by the vendors to protect personal information are at least as stringent as those required to be applied under the Regulations.

Third, the provision that mandates encryption for information that is transmitted wirelessly has been clarified. The revised Regulations clarify that the encryption requirement applies only to "all data containing personal information" rather than to "all data" to be transmitted wirelessly.

With the effective date pushed back to January 1, 2010, companies will now have more time to get their policies and systems in order. The changes to the Goodwin Procter LLP Page 2 vendor and encryption provisions alleviate some of the burdens for companies covered by the rules. For most companies, the Regulations continue to necessitate significant changes in data security practices.