According to BNA reporter Martha Kessler, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has filed its final information security regulations and will be making them public this week. BNA has released what they claim to be the final regulations (.pdf) [also available from BNA here (html)]. The final rules appear to have been tweaked only slightly from the draft regulations issued on August 17, 2009. In a redline comparison (.pdf) against the last draft, two primary revisions emerge:
- Entities affected by the regulations have been expanded to include businesses and individuals that merely store personal information; and
- A clarification was made to the provision requiring affected businesses to negotiate written contracts with service providers that handle personal information. The tweaks make clear that the grandfather provision that permits companies to rely on service provider contracts already in place will expire on March 1, 2012.
The March 1, 2010 deadline remains unchanged.
While the final regulations have not been posted to the OCABR website, many are eagerly awaiting to see if the OCABR also provides additional guidance on how to comply, as Undersecretary Anthony promised at the public hearing on these regulations in September.
UPDATE: On Wednesday, November 4th, the OCABR released the final Massachusetts information security regulations (.pdf) to the public, as predicted. In its new release, the OCABR also announced the publication of its report on consumer data breaches between 2007 and 2009 (.pdf). The report indicates that since the Massachusetts data breach notification law (M.G.L. ch. 93H) went into effect in 2007, over 1 million Massachusetts residents have been affected by a noticed breach. Among the many practices mentioned in the report, the OCABR has warned against: (1) "poor employee handling;" (2) documents sent to the wrong recipient; and (3) not taking steps to prevent access by terminated employees.