Alert November 17, 2008

Effective Date Delayed for Massachusetts Information Security Rules

The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) announced late last week that it has delayed the effective date of the state’s new information security rules. The rules, which were issued in final form on September 22, 2008, had been scheduled to go into effect on January 1, 2009. Most provisions of the information security rules will now go into effect on May 1, 2009.

As discussed in our September 29, 2008 Client Alert, “New Massachusetts Regulations to Mandate Comprehensive Information Security Requirements,” these information security rules are written very broadly, specifically referencing “all persons that own, license, store or maintain personal information about a resident of the Commonwealth.” The rules, which are available here, have stricter requirements (particularly in the areas of vendor contracts and data encryption) than federal standards or those of other states.

The mandatory compliance date for provisions requiring written certification of compliance from third-party service providers and for the encryption of portable electronic devices other than laptops has been extended to January 1, 2010.

Although the OCABR has granted a temporary reprieve, entities that may be subject to the requirements should continue preparations.