Deadlines for Compliance with Massachusetts' New Privacy Regulations Extended

Deadline Extension

The Office of Consumer Affairs and Business Regulation (OCABR) has extended its January 1, 2009 deadline for compliance with the newly promulgated Massachusetts privacy regulations.  According to OCABR, the extension of time will assist businesses in implementing the required measures during this economically uncertain time. 

The new standards deadlines are:

• May 1, 2009 for general compliance.  This has been changed from the original deadline of January 1, 2009.
• May 1, 2009 for ensuring that third-party service providers are capable of providing safeguards for personal information and for executing contracts with third-party providers to provide such safeguards.  This has been changed from the original deadline of January 1, 2009.
• May 1, 2009 for encryption of company laptops.  This date has changed from January 1, 2009.
• January 1, 2010 to receive written certification from third-party service providers that they have complied with the new Massachusetts privacy regulations.  This will assist businesses in educating their third-party service providers, many of whom may be located outside of Massachusetts, or, replace non-compliant third-party service providers as required by the regulations.  This date has been changed from January 1, 2009.
• January 1, 2010 for the encryption of all other portable devices, aside from laptops, such as memory sticks and PDAs.  This has been changed from January 1, 2009.

Most companies in Massachusetts and even companies outside of Massachusetts will need to comply with the regulations.  Any company that collects the personal information of a Massachusetts resident is subject to the regulations.  “Personal Information” refers to a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following:  (a) Social Security Number; (b) driver’s license number or state issued identification card number; or (c) financial account number, or credit card or debit card number.  Companies that are covered by this broad definition include:

• Companies with one or more employees who are Massachusetts residents
• Retail shops
• Companies transacting business via the Internet
• Law firms of all sizes that collect credit card information or social security numbers from clients
• Accounting firms
• Hospitals and medical providers
• Telecommunications companies
• Newspapers, magazines, television and radio stations
• Insurance companies