Massachusetts WISP Law Update

Commonwealth of Massachusetts Privacy Regulations Revised And Simplified Deadline Extended Until March 1, 2010

Citing concessions to the burdens placed on small businesses, on August 17, 2009, the Commonwealth's Office of Consumer Affairs and Business Regulation ("OCABR") again revised the so-called identity theft or privacy regulations, further extending the date for compliance until March 1, 2010.

The major conceptual change in the revised regulations is their new emphasis on a "risk-based approach" to implementation. In plain terms, a company now has the flexibility to scale its efforts in implementing the regulations based on "the size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations," as summarized by the OCABR. Where the prior version of the regulations indicated that compliance would be judged (assumedly at the time of enforcement) in light of the relative business size along with the amount and accessibility of personal information, that scalability has now shifted to the demands required of a business in initially implementing the regulations. According to OCABR, the "[n]ew language in the regulations recognizes that the size of a business and amount of personal information it handles plays a role in the data security plan the business creates."

The revised regulations postpone, again, the date for compliance an additional two months (formerly the deadline was January 1, 2010). The plain language of the remaining changes to the regulations tighten, focus and simplify language, but do not appear to materially change the process for businesses. Each company must still evaluate its use and storage of personal information, create a comprehensive written security plan or plans, implement feasible safeguards (including employee training and reasonable protection of electronically stored and transmitted information), and monitor and report breaches and unauthorized disclosures although each phase may be moderated to the scale and nature of business operations and volume of protected information. A public hearing on the revisions will be held by OCABR on September 22, 2009, which may result in further updates. Look for additional alerts throughout the fall.

Source: Hanify & King, P.C.,

This information may be considered advertising under the rules of the Supreme Judicial Court of Massachusetts. The information is provided for background purposes and should not be considered legal advice."