The Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) announced on November 4, 2009, the filing of final regulations (pdf) with the Secretary of State’s office, the final step before the regulations take effect March 1, 2010.
The final regulations differ slightly from the version of the regulations issued in August 2009, which made significant revisions to the earlier version of the rules.
OCABR clarified in the final regulations that:
- those who store personal information must comply, and
- until March 1, 2012, contracts with service providers will be deemed to satisfy the contract requirement, even if the contract does not require the service provider to maintain appropriate safeguards, as long as the contract was entered into no later than March 1, 2010. However, it is recommended that contracts with service providers be amended as soon as possible to require appropriate safeguards, as there may be similar requirements under federal or applicable state law (such as HIPAA or data security laws in Maryland, Oregon or Nevada).
While the regulations have had a number of changes, the written information security program requirement remains, along with a number of other safeguards for personal information that require immediate attention.
A checklist for the final regulations can be found here (pdf).