On February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) announced that it revised, for a second time, the state’s data security regulation that requires businesses that handle certain sensitive “Personal Information” of Massachusetts residents to develop and implement a comprehensive, written information security program. These revisions -- changes to the terms on third party service providers and the compliance date -- provide some relief for businesses required to comply with the rigorous provisions of the Regulation.

Specifically, this Client Advisory provides an overview of the service provider requirements, including the provisions that were removed and the requirements still in effect. The OCABR also has extended the deadline for compliance with all provisions of the Regulation from May 1, 2009 to January 1, 2010.

Massachusetts (Again) Revises the State’s Data Security Regulation; Compliance with Entire Regulation Extended Until Jan. 2010