On August 17, 2009, Massachusetts announced revisions to its information security regulations and extended the deadline for compliance with those regulations.  In the press release announcing the revised regulations, the Undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation noted the concerns of small business leaders regarding the impact on their companies, stating that the updated regulations “feature a fair balance between consumer protections and business realities.”

First and foremost, the revisions emphasize a more flexible, risk-based approach to developing an information security program.  Previously the regulations required the adoption of a program incorporating specific elements without regard to the particular concerns of individual businesses.  The revised regulations instead direct businesses to implement an information security program that takes into consideration what is “appropriate to (a) the size, scope and type of business … ; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.” 

Second, the revisions modify several of the information security program requirements to reflect the risk-based approach.  For example, employers that must protect personal information from terminated employees will not be obligated to do so by “immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names.”  Rather, the new regulation has a more customizable requirement that such employers “prevent[] terminated employees from accessing records containing personal information.”

Third, the definition of “encrypted” has been amended so as to make the encryption requirement technology-neutral, and there is a general emphasis on technical feasibility with respect to the various technological elements of an information security program.  For example, the revisions qualify that all computer system security requirements, including secure user authentication protocols and secure access control measures, should be implemented “to the extent technically feasible.”  Previously, only encryption was subject to the technical feasibility qualification.

Fourth, the term “service provider” is now specifically defined, and persons who own or license personal information will have to include information security requirements in their contracts with third-party service providers.  This parallels the service provider provision contained in the FTC’s Safeguards Rule promulgated pursuant to the Gramm-Leach-Bliley Act.

Finally, the compliance deadline for these regulations has been extended to March 1, 2010.  This is the third time Massachusetts has extended the deadline, following prior extensions that occurred in February 2009 and November 2008.