Background and Current Status
Last year, the Massachusetts State Legislature passed a law on data breach and ID theft (M.G.L. c.93H).  The law directed the Office of Consumer Affairs and Business Regulation to develop accompanying regulations.  Draft regulations were released earlier this year, then put on hold following a loud outcry from the business community.  Throughout this process, AeA has been actively engaged in efforts to improve both the law and the regulations with regard to encryption and data security.

Unfortunately, the final regulations released on September 22, 2008 by the Patrick Administration (201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth) still contain problematic elements.  These regulations take effect on January 1, 2009 and while we continue efforts to improve the regulations, we encourage you to act now to educate yourself about them and take steps now to comply.  In our view, the regulations are seriously flawed and the practical consequences of some requirements make it impossible for companies to be able to comply by the time granted.  Specifically, we believe the regulations need to be amended to change the encryption definition, and the requirements to certify third party vendors and conduct a complete data inventory.  View our letter.

We have been joined in these efforts by a broad-based coalition of business groups.

Regulations Take Effect January 1 -- Educate Yourself Now
All entities maintaining "personal information" (see definition below) for any customer or employee who is a Massachusetts resident must comply with these regulations by January 1st.  The regulations define "personal information" as: "a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public."