Massachusetts Extends Compliance Date on Information Security Program Requirements
URGENT
[23066]
November 14, 2008
TO: COMPLIANCE MEMBERS No. 61-08OPERATIONS MEMBERS No. 23-08
PRIMARY CONTACTS - MEMBER COMPLEX No. 17-08
PRIVACY ISSUES WORKING GROUP No. 17-08
SEC RULES MEMBERS No. 136-08
TECHNOLOGY COMMITTEE No. 30-08
TRANSFER AGENT ADVISORY COMMITTEE No. 66-08 RE: MASSACHUSETTS EXTENDS COMPLIANCE DATE ON INFORMATION SECURITY PROGRAM REQUIREMENTS
The Massachusetts Office of Consumer Affairs and Business Regulations (“Office”) issued the attached press release today announcing that the compliance date for its rules imposing data privacy standards* has been extended from January 1, 2009 to:
May 1, 2009 for:
- Contractually binding third-party service providers to the rules’ requirements;
- Ensuring encryption of laptops; and
- All provisions of the rules for which the compliance date has not been extended to January 1, 2010.
January 1, 2010 for:
- Requiring written certifications from third-party service providers; and
- Ensuring encryption of portable devices.
Apparently the May 1st date is based on the compliance date for the Red Flag Guidelines of the Federal Trade Commission, even though (1) the requirements of the Red Flag Guidelines are very different from the requirements of the Massachusetts rules; and (2) not all businesses are subject to the Red Flag Guidelines.
The Institute and a group of its members will be meeting with the Secretary of the Office this coming Monday, November 17th, to discuss our continued concerns with these compliance dates. In addition, the Institute will be testifying at a legislative hearing in Boston on Wednesday, November 19th regarding our concerns with the rules. We will keep you posted regarding any developments. In the meantime, if you have any questions, please contact the undersigned by phone (202-326-5825) or email (tamara@ici.org).
Tamara K. Salmon
Senior Associate Counsel