UPDATE: New Massachusetts Data Privacy Regulations Effective March 1, 2010
See my original January 2008 post (updated) for a discussion of this subject. After a significant amount of back-and-forth between business interests and the OCABR, final regulations were issued, relaxing somewhat (but not entirely) the new requirements that businesses handling sensitive personal information adopt written security policies.
Among the thornier issues is the requirement that “owners and licensees” of this information mandate compliance in their third party contracts. In response, a limited grace period – until 2012 – is extended to bring contracts executed prior to March 1, 2010 in compliance.
Given the momentum – at the state and federal (HITECH) level – it seems clear that businesses not currently encrypting this information now fail to do so at their peril.
Comments are closed.