MA Privacy Regulation 201 CMR 17:00
The Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) issued amendments to the Massachusetts information security regulations, 201 CMR 17.00. The highlights of the regulations include the following:
- Enforcement of the regulations take effect March 1, 2010.
- Businesses affected by the regulations include anyone that "receives, maintains or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment."
- The written information security program required by the regulations should be appropriate to the size and scope of the business, the resources available to the business and the need for security.
- The revised regulations require that businesses enter into written contracts with service providers that require that service providers to adopt appropriate security measures. There is a grandfather provision that deems any contract entered into before March 1, 2010 to be in compliance with this aspect of the regulations.
- All technical (i.e., computer, network and electronic) security measures are only required "to the extent technically feasible." The FAQ accompanying the revised regulations has this to say about what is technically feasible: "if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used."
OCABR also issued a useful FAQ on the amendments which state the differences between this version of 201 CMR 17.00 and the version issued in February of 2009. They also compiled a checklist to assist smaller organizations in their efforts to comply with the regulations. For More Information on the Regulations, go to www.mass.gov.