Mass. delays enforcement of data security regs

The Massachusetts' Office of Consumer Affairs and Business Regulation is postponing the compliance date for its identity theft data security regulations in light of the current economic crisis.

The general compliance deadline for the state's 201 CMR 17 regulations was initially set for Jan. 1, 2009, but officials have pushed it to May 1. The regulations, issued in September, call for the encryption of wirelessly transmitted data and documents stored on laptop PCs or flash drives and the use of up-to-date firewall protection.

Massachusetts' new deadline matches the date for complying with the Federal Trade Commission's red flag rules, which require financial institutions and creditors to develop and implement programs to prevent identity theft. Businesses seeking to comply with the FTC requirements can now save money by addressing the state's regulations at the same time.

The deadline for third-party service providers to protect personal information was also extended to May 1, while the deadline for requiring written certification from third-party providers was extended to Jan. 1, 2010.

The deadline for ensuring encryption of laptop PCs is May 1, and the deadline for encrypting other portable devices is Jan. 1, 2010.

About the Author

Kathleen Hickey is a freelance writer for GCN.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.