Massachusetts' Office of Consumer Affairs & Business Regulations has once again delayed the effective date of its identity theft regulations and announced proposed changes to the rules that should make them more consistent with federal law and somewhat more palatable for smaller companies.

Under the latest postponement, the proposed new rules will take effect March 1, 2010, instead of Jan. 1, 2010. As Compliance Week has previously reported, the rules have been in flux for months. They were originally scheduled to take effect on Jan. 1, 2009.

The changes to make the rules more flexible for smaller companies and those that don't handle much personal information follow the introduction earlier this year of a state senate bill that would curtail the OCABR's power to enact regulations and significantly limit what the OCABR could require, notes Gabriel Helmer, an associate in the law firm Foley Hoag.

Among the changes: The written information security program required by the regulations should be "appropriate to the size and scope of the business, the resources available to the business, and the need for security."

Massachusetts Undersecretary of the OCABR Barbara Anthony said the proposed regulations "make clear that their approach to data security is a risk-based approach that is especially important to small businesses that may not handle a lot of personal information about customers" and "feature a fair balance between consumer protections and business realities."

Under the revised rules, businesses affected by the regulations include anyone that "receives, maintains, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment."

That's new language, though it's "unclear what precisely that means," says Helmer.The revised regulations also now require that businesses enter into written contracts with service providers that require that service providers to adopt appropriate security measures. Under a grandfather provision, any contract entered into before March 1, 2010, would be deemed in compliance with the regulations. That's in line with federal rules, which Helmer says all require some kind of assurance from service providers.

Also new is language that states that all of the computer security provisions apply to a business if they are "technically feasible." According to a five-page FAQ issued by the OCABR, "technically feasible" means that if there is "a reasonable means through technology to accomplish a required result, then that reasonable means must be used."

Helmer suggests businesses covered by the rules assess their own circumstances and consider under the new proposed standards whether a particular provision is technically feasible.

"Under the proposed rules, small businesses with little personal information or limited resources can adopt an information security program without all of the bells and whistles of that of a Fortune 50 company," he says.

Under the proposed amendments, only portable devices that contain personal information have to be encrypted. Backup tapes must be encrypted on a going-forward basis.

A public hearing on the proposed changes is slated for Sept. 22.

"I expect some vibrant debate at the public hearing, and we may see some additional changes come out of that," Helmer tells Compliance Week.

Topics