ALERT: Massachusetts Gives Businesses Until May 1, 2009 to Adopt Comprehensive Information Security Programs To Comply With Recent State Identity Theft Regulations

Posted on November 15, 2008 by Gabriel M. Helmer

In September, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued broad identity theft regulations that require virtually every business that retains information on Massachusetts residents to develop comprehensive policies and procedures to address the risk of identity theft by January 1, 2009. 

On Friday, November 14, 2008, OCABR announced that it will give businesses until May 1, 2009 to comply with the new regulations. This move parallels the October announcement by the Federal Trade Commission that it is delaying enforcement of federal identity theft regulations until the same date, May 1, 2009. 

In conjunction with the recently enacted Massachusetts identity theft statute, Mass. Gen. Laws ch. 93H, the Massachusetts identity theft regulations published as 201 CMR 17.00 set specific standards for businesses that own, license, store or maintain personal information about any Massachusetts residents. There are several key provisions in the new regulations:

  • Businesses subject to the regulations include any company, whether or not based in Massachusetts, that owns, licenses, stores or maintains “personal information” about Massachusetts residents.
  • “Personal information” is defined to include a resident’s name in combination with a Social Security number, driver’s license number, credit card or bank account information.
  • Affected businesses are required to develop, implement, maintain and monitor a comprehensive information security program that would identifying and mitigate the risks of potential identity theft.
  • Businesses are required to set limits on when employees may access, keep and transport records containing personal information outside of company offices and impose disciplinary measures on employees that violate the information security policies.
  • The regulations also specifically require that computer systems containing personal information are protected by encryption, secure user logins, firewall systems, virus and malware protection and reasonably up-to-date system software. 

The Massachusetts Attorney General is authorized to enforce these regulations, but at this stage, as with any new regulatory framework, the form and level of government enforcement is unclear. However, the new regulations direct the Attorney General to take into account the size and nature of the business, as well as the resources available to it, when assessing compliance.

2.13.2009 UPDATE: As we report in our client alert, the OCABR has filed amended regulations to extend the deadline for compliance with Massachusetts identity theft regulation to January 1, 2010.

Tags: , , , , , , , ,

Document Library

Posted on November 1, 2008 by Foley Hoag LLP

Here you will find a selection of the articles, documents and other resources highlighted in our various posts. In most cases links are either to another site or a PDF.  

eBooks | Legal Briefs | Federal Policies & Guidelines | General Articles & Publications

  

Security & Privacy Guides [ top ]

Foley Hoag publishes eBooks from time to time. This material is written by lawyers from the Firm's Security & Privacy practice for the purpose of providing general guidance on security, privacy and the law.

  • Five Key Steps to Developing an Information Security Program (.pdf) in this eBook, Gabriel Helmer introduces you to the key first steps in developing a written information security program to comply with federal and state regulations.  The eBook also includes our guides to the Federal Trade Commission's Red Flags Rule, 16 CFR 681, and Massachusetts' identity theft regulations, 201 CMR 17.00.

     
  • [IMAGE] Security & Privacy Guide: FTC Red Flags Rule (.pdf) provides a condensed outline of what you need to know about the FTC's Red Flags Rule, 16 CFR 681.  If you are looking to answer questions about whether the Rule applies to you and what a business needs to do to comply, this is a good place to start.
     
  • [IMAGE] Security & Privacy Guide: Massachusetts Identity Theft Regulations (.pdf) is a brief introduction to the Massachusetts identity theft regulations that will walk you through the requirements of these regulations and discusses what needs to be included in a "comprehensive, written information security program."
     
  • [IMAGE] Security & Privacy Guide: August 2009 Revisions to the Massachusetts Identity Theft Regulations (.pdf) is a redline comparison of the most recent amendments to the Massachusetts identity theft regulations.

Noteworthy Court Filings & Documents [ top ]

Intro...

  • Criminal Complaint: USA v. Alberto Gonzales, Civ. A. No. (D.Mass.) contains the criminal charges against the individual alleged to be behind the massive consumer data breach at Heartland Payment Systems as well as the previous breach at TJX, Inc.
     
  • Civil Complaint: American Bar Association v. Federal Trade Commission, Civ. A. No. (D.D.C.) in this case, the ABA seeks a ruling that lawyers are not required to comply with the FTC's Red Flags Rule.
     
  •  

 

Laws, Regulations & Rules [ top ]

Intro.

  • Document Listing

 

Key Publications & Reports [ top ]

Intro.

  • Document Listing

 

Tags:
  • Email This
  • Print
  • Share Link