Final Version of Massachusetts Privacy Law Has Been Filed and Will Take Effect on March 1, 2010

The Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) has filed its final amendments to its information security regulations which take effect on March 1, 2010.  The new regulations will help to combat the loss of personal information which, according to the Patrick administration, has included 1,057,560 exposures in the last two years.

Final Changes to the Massachusetts Privacy Law (201 CMR 17.00)

On September 22nd, the OCABR held a public hearing to discuss the changes made in its August 2009 version of the regulations.  Based on testimony from that hearing, the OCABR made minor language changes in the final regulations.  While substantially similar to the August regulations, it is important to be cognizant of the language changes included in the final regulations.

1. Definition of “Service Provider” Amended

• The regulation’s definition of “service provider” has been expanded to include businesses and individuals who “store” information.  The final regulations make it clear that a company or individual who merely stores and does not otherwise process or access personal information of Massachusetts residents is still subject to the requirements of the regulations.
  
  
• The revised regulations remove the specific exclusion of the U.S. Postal Service from the term “service provider.” While it is unclear what the exact intent of removing this exclusion was, the OCABR has stated that companies must assess the risks of using a common carrier, including the U.S. Postal Service, to transmit personal information of Massachusetts residents.

2. Changes to Contractual Obligations Relating to Third Party Service Providers

• The State has clarified the language and compliance deadlines with regard to contracts between those who own, license or store personal information and third party service providers.  The final regulations state that if a company or an individual utilizes a third party to handle data, the contract must include provisions for appropriate safeguards by March 1, 2010.  Existing contracts are not required to be updated before March 1, 2012, but new or renewal contracts executed after March 1, 2010 must include appropriate safeguard provisions.

3. Compliance Deadline Remains Unchanged

• Under the final regulations, full compliance must be achieved by March 1, 2010.

Begin Compliance Efforts Now

The filing of the final version of Massachusetts Privacy Law is the last step before the regulations take effect on March 1, 2010.  The requirements for compliance are complex and the design and implementation of a comprehensive written information security program can require considerable time and resources.  Companies that delay run the risk of being in dangerous territory when the deadline passes. 

MFA’s experience in working with clients to achieve compliance has shown that the best course of action is to begin by conducting an organizational assessment as soon as possible. This detailed evaluation of your current information security policies will yield a full understanding of the gaps between current policies and regulatory requirements and will provide ample time to align resources to develop and implement a practical course of action for compliance.

Further Information

• Final Regulations (201 CMR 17.00)
• Frequently Asked Questions Regarding 201 CMR 17.00
• MFA Perspective on the Massachusetts Privacy Law
• MFA Fall 2009 Webinar:  Massachusetts Privacy Law
• Understand how MFA can help in your efforts toward compliance:  MFA's Privacy and Data Protection Services