Today, the Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) issued proposed amendments to the Massachusetts information security regulations, 201 CMR 17.00 to 17.05 (.doc). The highlights of the proposed regulations include the following:
- Enforcement of the regulations is postponed until March 1, 2010.
- Businesses affected by the regulations include anyone that “receives, maintains or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.”
- The written information security program required by the regulations should be appropriate to the size and scope of the business, the resources available to the business and the need for security.
- The revised regulations require that businesses enter into written contracts with service providers that require that service providers to adopt appropriate security measures. There is a grandfather provision that deems any contract entered into before March 1, 2010 to be in complaince with this aspect of the regulations.
- All technical (i.e., computer, network and electronic) security measures are only required “to the extent technically feasible.” The FAQ accompanying the revised regulations has this to say about what is technically feasible: “if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used.”
OCABR also issued a useful FAQ on the proposed amendments (.doc) that takes on questions such as “Do all portable devices have to be encrypted?” (Answer: no, only the ones that contain personal information) and “Must I encrypt my backup tapes?” (Answer: yes, on a going forward basis). In OCABR’s press release (.doc), Undersecretary Barbara Anthony states that the amended regulations reinforce that “technical feasibility plays a role in what many businesses, especially small businesses can do to protect data.” OCABR will hold a public hearing on the proposed rules at 10:00 a.m. on September 22, 2009 (see OCABR’s notice of public hearing (.pdf)).
These regulations ignited a storm of controversy begining in late 2008 and the deadline has been progressively postponed from January 1, 2009, to May 1, 2009, then to January 1, 2010, and finally to March 1, 2010. In May, Massachusetts State Senate Chairman Michael Morrissey criticized the regulations as “beyond [the law’s] intent” at a public hearing on proposed Senate Bill 173 (.pdf), a bill to substantially revise the Massachusetts law and scale back OCABR’s onerous information security regulations. Progress on the bill stalled when newly-appointed OCABR Undersecretary Anthony agreed to issue amended regulations to bring the regulations closer to the legislative intent and respond to the concerns voiced by the small business community.
Small correction, these are not just “proposed amendments” — the OCABR issued a new regulation, not just a proposal for one. However, it does not take effect until March 1, 2010, so there is still time for them to change it again (or for the state legislature to pass SB173) before it comes into effect.