Massachusetts recently announced that it is extending the deadline for compliance with new state data security regulations. In consideration of the current economic climate, Massachusetts has extended its original compliance deadline of January 1, 2009. The new compliance deadline will be phased in. By May 1, 2009, companies that are subject to the regulations must generally comply with the new standards and must contractually ensure the compliance of their third-party service providers. In addition, by May 1, 2009, covered businesses must encrypt laptops containing personal information. By January 1, 2010, companies are required to have a written certification of compliance from their third-party service providers and must encrypt other company portable devices, such as memory sticks and PDAs.
Massachusetts’ new May 1, 2009, compliance deadline coincides with the updated implementation deadline for the Federal Trade Commission’s Red Flags Rule. The Red Flags Rule contains provisions requiring certain financial institutions and creditors to put in place security measures aimed at detecting and preventing identity theft. Entities that are subject to both the Red Flags Rule and Massachusetts’ new regulations may be able to address the implementation requirements of both during the same program development process.