Welcome news for companies that maintain personal information of Massachusetts residents: The state’s Office of Consumer Affairs and Business Regulation has once again eased and delayed new identity theft regulations that require companies to encrypt personal information stored on portable devices or transmitted wirelessly or on public networks.

The latest delay, announced Feb. 12, gives companies an extra eight months to prepare for the new rules, which now take effect Jan. 1, 2010. The regulations were originally scheduled to take effect on Jan. 1, 2009, but were later delayed until May 1 of this year.

OCABR also made changes that alleviate some of the obligations imposed by the regulations, including easing the service provider oversight requirements of the rules, which were among the most burdensome, according to a legal update by Morrison & Foerster lawyers Nathan Taylor and Miriam Wugmeister.

Specifically, MoFo notes, companies would’ve been required to take reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect that information, including selecting and retaining service providers capable of maintaining safeguards for personal information and contractually requiring service providers to maintain such safeguards. Moreover, before granting a third-party service provider access to personal information, a company would’ve been required to obtain written certification from the third-party service provider that the provider has a written, comprehensive information security program that’s in compliance with the regulations.

However, the revised regulations remove the express contractual requirement and written certification requirement, MoFo notes. Instead, a company subject to the regulations must take all reasonable steps to: (1) verify that service providers with access to personal information are capable of maintaining safeguards for personal information in the manner provided in the regulations; and (2) ensure that the service provider’s safeguards are “at least as stringent” as those required under the regulations.

While the extension of the compliance date is a welcome development, Wugmeister and Taylor note that, “in light of the complexity and specificity of the regulations as a whole, compliance efforts should remain a high priority at companies that maintain personal information of Massachusetts residents.”

Topics