Last week the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) submitted the final version of 201 CMR 17.00, the most comprehensive state data security law, which requires businesses that own or license personal information about Massachusetts residents to implement a written information security program with administrative, physical and technical safeguards, to ensure through due diligence and written contracts that third-party service providers obtaining personal information maintain appropriate security measures, and to encrypt personal information stored on portable devices or transmitted wirelessly or over the Internet.
To revisit briefly the tortured history of this regulation, the original version was highly prescriptive and mandated specific technological protections (such as 128-bit encryption) regardless of the size, nature and scope of the business and the risks involved. After wailing and lamentations from business groups, a near-final regulation (discussed in depth in this blog) was issued in August 2009 and shifted the regulatory standard to a more flexible, risk-based, technology-neutral approach. The final revisions were issued after a September 22 hearing, based on which the OCABR concluded that it had finally gotten it right.
The revisions are minimal and deal mostly with the compliance deadline for binding third-party service providers by contract. The final regulation makes it clear that existing contracts signed on or before March 1, 2010 do not have to contain the magic language requiring service providers to maintain appropriate security measures to protect personal information. However, this carve-out does not apply as of March 1, 2012; on that date, ALL contracts must be compliant.
Now that those damned Yankees have won the World Series, if you’re yearning to read the final regulation, you can get it here.