Massachusetts Data Security Rules Delayed and Revised Again

Privacy, Data Security & Information Law Update

Massachusetts has once again delayed implementation and moderated its stringent data security rules because of concerns about the impact on small businesses. This is the third time that state regulators have amended the rules and extended the compliance deadline. The amended regulations are currently scheduled to take effect on March 1, 2010, two months later than previously scheduled. However, Massachusetts will hold a hearing on the amended regulations on September 22, 2009, and accept public comments until September 25, 2009, suggesting that further revisions are still possible. The new rules are intended to be less prescriptive than prior versions, and to conform more closely to the substance of analogous federal and state laws. However, any business that processes or stores personal information of Massachusetts employees, consumer or other residents will need to establish a written, comprehensive information security program by the March 1 deadline.