A number of high-profile Massachusetts businesses and industry groups have sent Massachusetts governor Deval Patrick a letter requesting that the governor reissue existing identity theft regulations and give battered businesses two additional years to develop information security programs. This comes as a prelude to the public hearing scheduled today before the Massachusetts Office of Consumer Affairs and Business (OCABR) regarding the upcoming May 1, 2009 deadline for businesses to comply with recent Massachusetts identity theft regulations (201 C.M.R. 17.00 et seq.). The companies and organizations signing the letter included the Massachusetts Business Roundtable, the Massachusetts Package Store Association, the Massachusetts Hospital Associations, Google, Comcast, CitiGroup, AOL, Microsoft, The Gap, Verizon and Wal-Mart.
Mass High Tech’s story on this event can be found here.
Testimony of the Greater Boston Chamber of Commerce at the January 16, 2009 hearing can be found here.
The Privacy & Security Law Report reports that, at the hearing, representatives of employers, small businesses, financial institutions and universities asked the OCABR to extend the deadline for compliance beyond May 1st. According to these representatives, it will be “virtually impossible” for most of the covered entities to reach compliance by May 1, 2009. In addition, they urged the OCABR to review the new regulations again and make changes. Whether the OCABR will be swayed by the views of those attending the hearing remains to be seen. Given the economic climate the costs associated with upgrading systems to meet the new regulations, it is a safe bet that most covered entities would breathe a sigh of relief if the OCABR decides to extend the compliance deadline.
2.13.2009 UPDATE: As we report in our alert, OCABR has responded to this request by filing amended regulations that postpone the compliance deadline by eight months, to January 1, 2010.