Delayed Implementation of Data Security Laws in Massachusetts

March 2, 2009

For the second time since announcing its new data security laws, Massachusetts has delayed implementation of the new laws. The data security laws are now set to become effective on January 1, 2010, a full year later than the initial January 1, 2009 deadline (which had been previously pushed back to May 1, 2009 for compliance with most provisions). The decision to extend the compliance deadline is the result of a January 16, 2009 public hearing during which representatives from a variety of businesses voiced strong concerns about their ability to meet a May 1, 2009 deadline.

In addition to delaying the date the laws will go into effect, the Massachusetts Office of Consumer Affairs and Business Regulation (MOCABR) also eliminated certain requirements. As initially drafted, businesses would have been required to include language in contracts certifying a service provider’s compliance with the new data security laws and would have been prohibited from sharing personal data with service providers until receipt of written data security certification. In contrast, the updated data security laws eliminate the certification requirement and instead require businesses that maintain personal information about a Massachusetts resident to “(t)ak[e] all reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such information.” 201 CMR 17.03(3)(6). The full text of the revised regulations can be found here.

MOCABR defended the recent changes by stressing that the changes do not alter the level of data protection for Massachusetts residents, but merely reduce the administrative burden on businesses. It is important to note that the change to a “reasonable measure” standard is in contrast to the recent push by several states to require compliance with specific security requirements and brings Massachusetts in line with the established practices of states such as California and Texas.

For a discussion of other state data security laws, please click here to read an Arent Fox Legal Alert, dated November 19, 2008, titled New State Data Security Laws: Moving from “Reasonableness” to Express Security Standards.

For more information about state data privacy and security laws or for assistance in compliance with these laws, please contact

David C. Gryce
gryce.david@arentfox.com
202.775.5797

Halle Markus
markus.halle@arentfox.com
202.857.6113

Firm

History

Awards & Recognitions

Diversity

Alumni

Pro Bono

Leadership

Deals & Cases

People

Practices & Industries

Practices

Industries

Newsroom

Alerts

Events

Media Mentions

Press Releases

Social Media

Subscribe

Careers

Lawyers

Law Students

Professional Staff

Contact

Washington, DC

New York, NY

Los Angeles, CA

Alerts

Alerts by Criteria

Delayed Implementation of Data Security Laws in Massachusetts

Footer Main

Offices

Alerts by Criteria

You are here

Delayed Implementation of Data Security Laws in Massachusetts

Related People

Related Practices