On August 20, the Massachusetts Office of Consumer Affairs and Business Regulation amended 201 CMR 17.00 to adopt a more flexible risk-based and technology-neutral approach to defining the information security program requirements for businesses which own or license personal information about Massachusetts residents. The amended regulation, which will take effect March 1, 2010 (pushed back from January 1, 2010), can be viewed here
I will discuss the changes more fully in an upcoming post, but overall they respond to concerns from recession-racked businesses about the stringent encryption and other technical and computer security requirements of the regulation, which would have applied across the board to businesses regardless of their size and resources and the technical feasibility of implementation.
So, for example, the amended regulation now only requires that personal information stored on portable devices or transmitted over the Internet must be encrypted “to the extent technically feasible.” Furthermore, it drops the requirement of a 128-bit or higher encryption standard. More generally, businesses’ information security programs now only must contains safeguards that are appropriate to the size, scope and type of business and the amount of resources available to the business. The third-party service provider oversight provision has also been modified to be consistent with the FTC’s Safeguards Rule implementing the information security requirements of the Gramm-Leach-Bliley Act; businesses must take “reasonable steps” to select service providers capable of maintaining appropriate security measures for personal information and must require them by contract to do so. However, any contract entered into prior to March 1, 2012 will not be considered non-compliant even if it lacks these provisions, as long as it was entered into prior to March 1, 2010.
More to follow soon.