The Massachusetts Office of Consumer Affairs and Business Regulation filed final amendments to the state’s data security rules, set forth in 201 CMR 17.00. The rules impose significant requirements on those possessing personal information of state residents.
Most provisions in the rules are identical to the proposed rules released on August 17, 2009. The effective date of the rules remains March 1, 2010. Changes from the proposed version of the rules include the following:
- The definitions of a “Service Provider” and an entity that “owns and licenses” personal information now include persons that “store” personal information. The definitions in the proposed rules previously included persons that “maintain” personal information, so this change appears to be a clarification.
- The proposed rules stated that entities must contractually require third-party service providers to implement and maintain appropriate security measures, but grandfathered existing contracts entered into before March 1, 2010. The final rules maintain this provision but clarify that the contract must be entered into no later than March 1, 2010 and that the grandfather provision is valid until March 1, 2012.