In September, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued broad identity theft regulations that require virtually every business that retains information on Massachusetts residents to develop comprehensive policies and procedures to address the risk of identity theft by January 1, 2009.
On Friday, November 14, 2008, OCABR announced that it will give businesses until May 1, 2009 to comply with the new regulations. This move parallels the October announcement by the Federal Trade Commission that it is delaying enforcement of federal identity theft regulations until the same date, May 1, 2009.
In conjunction with the recently enacted Massachusetts identity theft statute, Mass. Gen. Laws ch. 93H, the Massachusetts identity theft regulations published as 201 CMR 17.00 set specific standards for businesses that own, license, store or maintain personal information about any Massachusetts residents. There are several key provisions in the new regulations:
- Businesses subject to the regulations include any company, whether or not based in Massachusetts, that owns, licenses, stores or maintains “personal information” about Massachusetts residents.
- “Personal information” is defined to include a resident’s name in combination with a Social Security number, driver’s license number, credit card or bank account information.
- Affected businesses are required to develop, implement, maintain and monitor a comprehensive information security program that would identifying and mitigate the risks of potential identity theft.
- Businesses are required to set limits on when employees may access, keep and transport records containing personal information outside of company offices and impose disciplinary measures on employees that violate the information security policies.
- The regulations also specifically require that computer systems containing personal information are protected by encryption, secure user logins, firewall systems, virus and malware protection and reasonably up-to-date system software.
The Massachusetts Attorney General is authorized to enforce these regulations, but at this stage, as with any new regulatory framework, the form and level of government enforcement is unclear. However, the new regulations direct the Attorney General to take into account the size and nature of the business, as well as the resources available to it, when assessing compliance.
2.13.2009 UPDATE: As we report in our client alert, the OCABR has filed amended regulations to extend the deadline for compliance with Massachusetts identity theft regulation to January 1, 2010.