Computerworld - For the second time in three months, Massachusetts officials have pushed back the deadline for companies to comply with a controversial set of data security regulations that the state announced last September.

In addition to the deadline extension, which was announced late yesterday, the state's Office of Consumer Affairs and Business Regulation (OCABR) also revised a key provision in the regulations that had prompted considerable concern within the business community both inside and outside of Massachusetts.

Under the new deadline, businesses now have until the start of next year to comply with the regulations, which are aimed at protecting the personal data of Massachusetts residents (download PDF). Prior to the extension, the compliance deadline was May 1. That date was set in November, when the OCABR extended its original deadline of Jan. 1.

In a statement yesterday, OCABR undersecretary Daniel Crane said that given the importance of the data-protection mandate, state officials decided it was necessary to give companies more time to make the necessary changes to their systems and business processes. Crane also cited the economic recession. "We understand the impact of the current business environment, and feel [next January] is an appropriate time frame for companies to implement the necessary protections," he said.

As part of the revisions, state regulators also removed an especially contentious requirement mandating that companies get third parties with access to customer data to attest that they were compliant with the regulations as well. In addition, that provision also required third-party services providers to include language in their contracts specifying that they were willing and able to comply with the security rules.

Under the revised regulations, companies only have to take "reasonable steps" to verify that any third-party providers with access to personal data have the ability to protect the information through measures that are comparable to the ones spelled out by the OCABR.

Deborah Birnbach, an attorney at Goodwin Procter LLP in Boston who has been working with clients on compliance issues related to the regulations, said the changes are a definite improvement over the original rules, which she claimed would have required companies to rewrite their vendor contracts. Such a requirement would have been unreasonable, according to Birnbach — especially in the case of large companies that typically deal with numerous third parties at any given time. "Our clients have been somewhat up in arms," she said.

At a high level, the regulations — which implement the data breach provisions in the state's consumer protection law — require any business that handles sensitive personal information on Massachusetts residents to encrypt the data while it's being transmitted over public networks or stored on mobile devices such as laptops, handhelds and memory sticks.

Comment Recommend Digg Twitter ShareThis

Email Print Send Feedback Reprints

Jump to comments

data security

Additional Resources

WHITE PAPER

Do You Know the 7 Steps to Successful Data Migration?

Approximately 60 percent of data migration projects overrun time or budget, while some fail completely. Download this white paper, "Enhancing Your Chance for Successful Data Migration," to learn the critical steps you need to take to execute a data migration project with minimum cost and risk to your business.

WHITE PAPER

Total Cost of Ownership of Server Computing Vs. PCs

Read the Gartner research note to learn why the TCO of a server-based computing deployment used to deliver all applications to users is around 50% lower than that of an unmanaged desktop deployment.

WHITE PAPER

IDC White Paper: Linux in a Global Recession

Economic downturns have a tendency to accelerate emerging technologies, boost the adoption of effective solutions, and punish solutions that are not cost competitive or that are out of synch with industry trends. This IDC White Paper presents the results of an IDC survey of 330 companies in Western Europe, Asia/Pacific and the Americas that measures the receptiveness to Linux and takes into consideration changing views driven by the disruptive economic environment that businesses face today.

What People Are Saying

3 comments | Add new

See all comments (3) | Add new

White Papers & Webcasts

The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Learn how you can meet the detailed technical requirements of HIPAA and delivers continuous compliance.

Extending Client Refresh - 11 Steps to Maximize Savings
Register Now!

Confidently Meet Compliance Requirements
Download this Resource Now!

Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!

Getting in Compliance with Government Data Regulations
Learn about various regulations and how to comply with them when you read this white paper from VeriSign.

Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!

Maximizing Site Visitor Trust Using Extended Validation SSL
Provide site visitors visual cues that indicate your site is legitimate with Extended Validation (EV) SSL available from VeriSign.

Consolidate Your Servers and Storage to Lower Costs with Oracle Database 11g
Register for this webcast!

Authentication as a Service by Forrester Research
Learn more about Authentication-as-a-Service today!

The Commercialization of ITIL: Lessons Learned
Register for this event today!

All White Papers | All Webcasts