Massachusetts' Office of Consumer Affairs and Business Regulations recently amended Massachusetts' identity theft regulations, and last month held hearings on possible new amendments that the Office may issue soon. A copy of the latest version of the regulations is linked here. The latest regulations will take effect on March 1, 2010.
A year ago, the Office issued final regulations at Title 201 of the Code of Massachusetts Regulation, Section 17.00. These regulations called for people and businesses holding certain personal information about Massachusetts residents to develop, implement, and maintain a comprehensive written information security program with safeguards to minimize the risk of identity theft. The Office postponed the effective date of the regulations last year and earlier this year in light of concerns with the new laws.
On August 17, 2009, the Office issued the latest version of the regulations, in light of the needs of small business. The latest version states that the safeguards businesses must implement will depend on "the size, scope, and type of business" protecting the information. Thus, the new regulations create a sliding scale of compliance, and smaller businesses will not have to do as much to protect personal information as larger businesses that hold a lot more personal information. Ultimately, the nature of the safeguards a business will need to implement will depend on the nature and magnitude of the risks and vulnerabilities the business faces.
The Office held a hearing on further changes to the regulations in Boston on September 22, 2009. New regulations may emerge before the end of the year.
Partner, Cooke Kobrick & Wu LLP