On March 28, 2011, Massachusetts Attorney General Martha Coakley announced a settlement with the Briar Group in connection with a 2009 data breach that jeopardized the payment card information of “tens of thousands” of consumers.

Continue Reading Massachusetts Attorney General Reaches $110,000 Data Breach Settlement with Boston Restaurant Group

After several delays and revisions, the Massachusetts information security regulations, entitled “Standards for the Protection of Personal Information of Residents of the Commonwealth,” will take effect on March 1, 2010. The regulations apply to entities that own or license personal information about Massachusetts residents. “Personal information” is defined as a combination of a resident’s first and last name and Social Security number, driver’s license or state ID number, or financial account number or payment card number that permits access to the individual’s financial account.

Continue Reading Massachusetts Information Security Regulations Take Effect on March 1, 2010

On October 30, as reported by the Bureau of National Affairs (“BNA”), the Massachusetts Office of Consumer Affairs and Business Regulation stated that final amendments to its information security regulations had been filed with the Massachusetts Secretary of State.  The Standards for the Protection of Personal Information of Residents of the Commonwealth have been the subject of much commentary and a series of amendments as regulators seek to address concerns expressed by businesses over the stringent and specific nature of the regulations.  The most recent round of amendments was announced August 17, 2009.

Continue Reading Massachusetts Regulator Revises Information Security Requirements (Again)

On August 17, 2009, Massachusetts announced revisions to its information security regulations and extended the deadline for compliance with those regulations.  In the press release announcing the revised regulations, the Undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation noted the concerns of small business leaders regarding the impact on their companies, stating that the updated regulations “feature a fair balance between consumer protections and business realities.”


Continue Reading Massachusetts Revises Information Security Regulations and Extends Deadline for Compliance

Massachusetts recently announced that it is extending the deadline for compliance with new state data security regulations. In consideration of the current economic climate, Massachusetts has extended its original compliance deadline of January 1, 2009. The new compliance deadline will be phased in. By May 1, 2009, companies that are subject to the regulations must generally comply with the new standards and must contractually ensure the compliance of their third-party service providers. In addition, by May 1, 2009, covered businesses must encrypt laptops containing personal information. By January 1, 2010, companies are required to have a written certification of compliance from their third-party service providers and must encrypt other company portable devices, such as memory sticks and PDAs.

Continue Reading Compliance Deadline Extended for Massachusetts Data Security Regulations