United States: Privacy And Security Alert: Breaking News--Massachusetts Extends Deadline To Comply With Data Security Standards To May 1, 2009

Citing the difficult economic conditions, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) today extended the deadline for compliance with standards for how businesses protect and store consumers' personal information.

According to an OCABR press release, "These sensible measures are already widely used by many Massachusetts companies, but we recognize that some businesses, currently facing economic uncertainties, will benefit from having additional time to comply," said Undersecretary of Consumer Affairs and Business Regulation Daniel C. Crane. "The action taken today serves to provide flexibility to businesses working to implement the necessary measures to safeguard their customers' personal information in a timely manner."

The new deadlines are as follows:

• The general compliance deadline for 201 CMR 17.00 has been extended from January 1, 2009 to May 1, 2009. The date is consistent with a new Federal Trade Commission (FTC) Red Flag Rule, which requires financial institutions and creditors to develop and implement written identity theft prevention programs. Businesses addressing the new FTC requirements can now address the state regulations during the same time frame.

• The deadline for ensuring that third-party service providers are capable of protecting personal information and contractually binding them to do so will be extended from January 1, 2009 to May 1, 2009, and the deadline for requiring written certification from third-party providers will be further extended to January 1, 2010. This tiered deadline for requiring certification will ensure proper consumer protection and facilitate implementation without overburdening small businesses during harsh economic times.

• The deadline for ensuring encryption of laptops will be extended from January 1, 2009 to May 1, 2009, and the deadline for ensuring encryption of other portable devices will be further extended to January 1, 2010. Many data breaches reported to date relate to laptops, and laptops are more easily encrypted than other portable devices such as memory sticks, DVDs, and PDAs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.