Mirick O'Connell Header
Labor, Employment and Employment Benefits Client Alert
Labor, Employment and Employee Benefits Group:
Kim Rozak
Nick Anastasopoulos
Corey Higgins
Robert L. Kilroy
D. M. Moschos
Mike Murphy
Sharon Siegel
Jonathan Siegel
Marc Terry
Join Our Mailing List 
June 30, 2009
Massachusetts Data Security Regulations
The State Office of Consumer Affairs and Business Regulation recently amended the Massachusetts Data Security Regulations and extended the compliance deadline for the regulations to January 1, 2010.  The regulations establish minimum standards for safeguarding personal information contained in both paper and electronic records.  Such personal information encompasses Social Security numbers; driver's license or state-issued identification card numbers; and financial account, credit or debit card numbers, with or without any required security codes, personal identification numbers or passwords.
The recent amendments also require covered entities (defined as "persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts") to take "all reasonable steps" to verify that third-party service providers with whom the entities share personal information have the "capacity to protect such information" and to ensure that the providers are applying protective security measures as stringent as those required under the regulations.  The amended regulations no longer require covered entities to obtain a written certification from third-party service providers or to contractually require service providers to maintain safeguards for personal information. 
Please note that the amendments do not change the mandate that covered entities establish a written, comprehensive information security plan.

Data Security Regulations Red Flags Rule
The Federal Trade Commission has extended the compliance with the Red Flags Rule for companies that are deemed to be "finance or credit companies."  The compliance date now is August 1, 2009.  Under the FTC regulations, companies that are deemed to be credit companies need to have a policy and program to monitor the activity in their accounts for possible identity theft.
Please note, the FTC takes an expansive view of who is a credit company, defining the term as "any person who regularly extends, renews, or continues credit" - where "credit" is defined as "the right to defer payment of debt."   

Should you need assistance in developing a security plan, or if you have other questions, please contact us.
Very truly yours,
Labor, Employment and Employee Benefits Group
Mirick O'Connell
100 Front Street
Worcester, MA  01608-1477
t 508.791.8500
f 508.791.8502
This client alert is intended to inform you of developments in the law and to provide information of general interest.   It is not intended to constitute legal advice regarding a client's specific legal problems and should not be relied upon as such.  This client alert may be considered advertising under the rules of the Massachusetts Supreme Judicial Court.