Massachusetts extends deadline on data security rules again

13.02.2009
For the second time in three months, Massachusetts officials have pushed back the deadline for companies to comply with a controversial set of that the state announced last September.

In addition to the deadline extension, which was , the state's (OCABR) also revised a key provision in the regulations that had prompted considerable concern within the business community both inside and outside of Massachusetts.

Under the new deadline, businesses now have until the start of next year to comply with the regulations, which are aimed at protecting the of Massachusetts residents . Prior to the extension, the compliance deadline was May 1. That date was set in November, when the OCABR of Jan. 1.

In a statement Thursday, Daniel Crane, the OCABR's undersecretary, said that given the importance of the data-protection mandate, state officials decided it was necessary to give companies more time to make the necessary changes to their systems and business processes. Crane also cited the . "We understand the impact of the current business environment, and feel [next January] is an appropriate timeframe for companies to implement the necessary protections," he said.

As part of the revisions, state regulators also removed an especially contentious requirement mandating that companies get third parties with access to customer data to attest that they were compliant with the regulations as well. In addition, that provision also required third-party services providers to include language in their contracts specifying that they were willing and able to comply with the security rules.

Under the revised regulations, companies only have to take "reasonable steps" to verify that any third-party providers with access to personal data have the ability to protect the information through measures that are comparable to the ones spelled out by the OCABR.