Alert August 25, 2009

Massachusetts Again Revises Data Security Regulations

The closely-watched data security regulations issued by the Massachusetts Office of Consumer Affairs and Business Regulation were once again revised by the agency. The regulations, applicable to those possessing personal information of state residents, impose significant data security requirements. As part of the most recent revision, the effective date of the regulations has been changed to March 1, 2010. The agency also issued new FAQs about the regulations and announced that an additional public hearing on the regulations will be held on September 22, 2009. Most notably, the revised version of the regulations and FAQs provide some additional flexibility in the use of security technology, including encryption, and state that the required comprehensive information security program must be “appropriate” to the size, scope and type of business, the amount of resources and data, and the need for security and confidentiality of the data. The revised regulations are described in greater detail in a recent Goodwin Procter Client Alert. Click here for the revised regulations and here for the Client Alert.