The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has once again extended the deadline for businesses to be compliant to its standard (201 CMR 17.00) on how they are to protect personal consumer data. The standard was to go into effect in January, but because of the economic conditions that financial organizations are facing, the OCABR has decided to extend the deadline to May 1, 2009.
Any business that collects personal information, and their service providers, must comply with the new standard. Businesses have the extension to sign new contracts with their service providers, and then have until Jan. 1, 2010, to certify that their third-party providers are compliant. This regulation affects businesses that have clients in Massachusetts even if the business itself does not have an office in the state. The standard is very specific in that it covers encrypting data transmitted over wireless, using current firewall protection, data access protection, and devices that can store data in transit such as BlackBerries, laptops and flash drives. The date to make sure that data is encrypted on these devices has been extended to the May 1, 2009, deadline as well.
Current regulations require that businesses notify customers when there is a theft of their personal data. The Massachusetts standards are all-encompassing and go well beyond any other state, or the federal government, in regards to protecting consumers' personal data. The OCABR will take the size and type of company into account when determining if a business is in compliance with the regulation.
I think that Massachusetts is taking an unprecedented step in trying to protect our personal data. In December, I wrote a post that identified a few bills that Congress is working on to protect consumer data. Let's hope that other states work to pass similar regulations.