(Note: This E-Alert, authored by Amy B. Royal, Esq., also appears in the August 31, 2009 edition of Business West)

On August 17, 2009, the Office of Consumer Affairs and Business Regulation announced a new round of revisions to the identity theft regulations that are intended to be less onerous on smaller businesses with limited resources and more consistent with federal law. The regulation’s new effective date is March 1, 2010. This is the third time these regulations have been extended: they were initially slated to take effect on January 1, 2009, then extended to May 1, 2009 and again extended to January 1, 2010. 

The most dramatic change to the new regulations is its adoption of a “risk-based approach” to information security. Under this approach, in creating and implementing a written information security program, businesses are permitted to take into account their particular business’ size, scope, amount of resources, nature and quantity of data collected or stored and the need for security. Although the new regulations maintain the requirement that all businesses have a written information security program, the regulations provide that the scope and complexity of it will vary business to business depending on the business’ resources and the types of personal information it is storing or maintaining. For instance, the new regulations soften the requirements for businesses that only store personal employee information as opposed to those businesses that also store personal customer information. 

The regulations clarify that they apply to “those engaged in commerce,” meaning those who collect and retain personal information in connection with the provision of goods and services or for the purpose of employment.  

Additionally, a number of the specific provisions required to be included in the written information security program have been stricken from the regulations and, instead, are to be used as a form of guidance only. The computer security provisions apply only if “technically feasible,” which means if there are reasonable means through technology to accomplish the required result, then those reasonable means shall be utilized. The encryption requirement has been changed to be “technology neutral.”

The new regulations also change the third-party vendor requirements making them more consistent with the Federal Trade Commission’s Safeguards Rule. Businesses are still responsible for selecting and retaining third-party vendors that are capable of properly safeguarding personal information. A public hearing on the new regulations is scheduled to be held on Tuesday, Sept. 22, at 10 a.m. at the Transportation Building, 10 Park Plaza, Boston.

This fall, Royal LLP will be holding seminars about these new changes at different locations throughout the Commonwealth on the following dates:

September 11, 2009 - Northampton
September 22, 2009 - Springfield
September 23, 2009 - Westfield
September 29, 2009 - Worcester
September 30, 2009 - Foxboro

We will continue to monitor the rule closely and will provide you with information on any further delays or developments.  For more information about these seminars or for assistance in planning for compliance, please contact Amy B. Royal, Esq. at (413) 586-2288. Amy may also be reached by e-mail at aroyal@rkesq.com.