The Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) has extended to May 1, 2009 its deadline for businesses and others to comply with its new data security regulations. Obligations to encrypt portable devices, other than laptops, and to obtain written certifications from third-party service providers are extended to January 1, 2010.

The Massachusetts regulations, Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 CMR 17.00, mandate robust data security standards and written information security programs for holders of certain information about Massachusetts residents. The rules were originally set to take effect on January 1, 2009. The OCABR extended the compliance deadline to provide greater flexibility to businesses that may face financial challenges given the current economic downturn.

The new compliance date matches the recently extended deadline set by the Federal Trade Commission to comply with "Red Flag Rules" requiring certain businesses to implement a program to detect, prevent and respond to threats of identity theft in connection with accounts covered by the rules.*

• If you have not done so already, review whether you hold personal information about Massachusetts residents. "Personal information" is defined as a Massachusetts resident's first and last name, or first initial and last name, in combination with his or her (i) Social Security number, (ii) driver's license number or state-issued identification card number or (iii) financial account or credit/debit card number. Note: If you have Massachusetts employees, you are likely to hold at least Social Security numbers triggering application of this rule.
• If you hold such personal information, assess whether your business has implemented practices and adopted policies to safeguard such personal information in both paper and electronic forms and whether those practices and policies meet the detailed requirements of the Massachusetts rule.

* Consider whether you are also required to comply with the Red Flag Rules and whether overlapping compliance activities such as access controls and vendor oversight can be combined.

For more detailed information, see our Digestiblelaw.com postings about Massachusetts' data security regulations and the FTC's Red Flag Rules.