The Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) announced late last week that it has delayed the effective date of the state’s new information security rules. The rules, which were issued in final form on September 22, 2008, had been scheduled to go into effect on January 1, 2009. Most provisions of the information security rules will now go into effect on May 1, 2009. The mandatory compliance date for provisions requiring written certification of compliance from third‑party service providers and for the encryption of portable electronic devices other than laptops has been extended to January 1, 2010.
As discussed in a September 29, 2008 Goodwin Procter Client Alert, “New Massachusetts Regulations to Mandate Comprehensive Information Security Requirements,” these information security rules are written very broadly, specifically referencing “all persons that own, license, store or maintain personal information about a resident of the Commonwealth.” The rules, which are available here, have stricter requirements (particularly in the areas of vendor contracts and data encryption) than federal standards or those of other states.Although the OCABR has granted a temporary reprieve, entities that may be subject to the requirements should continue preparations.