No, not a home run at Fenway. The deadline for compliance with the new Massachusetts regulations for the protection of personal information has been pushed back once again. The new deadline is March 1, 2010. In addition, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) amended the applicable regulations. This edition of our newsletter explains the changes and suggests new best practices.

The regulations still require those that own or license "personal information" to "develop, implement and maintain a comprehensive written information security program." The definition of "personal information" and "person" (e.g., person, corporation, association, partnership) remain unchanged from previous versions of the regulations. The goal of the regulations is also unchanged – to combat identity theft. (For more specific information about these sections of the regulations, see our prior newsletter COMPLIANCE ALERT found at www.foleylawpractice.com.)

WHAT'S NEW?
It is now clear that the regulations require each business to make a personal risk assessment and then implement a plan that addresses that company's individual risks. The trick is to determine a reasonable and appropriate plan for each individual business given the risks posed by its operations. For example, the regulations require (and permit) consideration of certain factors:";(a) the size, scope and type of business...; (b) the amount of resources available to [the business]; (c) the amount of stored data; and (d) the need for security and confidentiality of [the] information." The assessment will also include consideration of the technical feasibility of protections for each business.

The OCABR also made changes to the certification requirement from third-party service providers regarding electronically stored data and altered the definition of "encrypted." The new regulations require companies to take reasonable steps to ensure that their third-party service providers are "capable of maintaining appropriate security measures." Moreover, the new encryption definition is broader to allow for expected advances in technology.

It is worth noting that even in the absence of a law requiring a protection plan, businesses that fail to protect their customers' and employees' personal information are, at a minimum, subject to civil claims for damages. We expect these new regulations to become the law sometime in 2010, and we expect them to be substantially similar to the current version.

We have developed a comprehensive compliance program that includes a compliance audit and the preparation of a written information security plan. We work in tandem with IT specialist SMH Electronics to ensure that your computer system complies with the encryption requirements.

You can reach us at 508-548-4888 or info@foleylawpractice.com to request assistance.