For Immediate Release - November 14, 2008

Business Community Given Additional Time to Comply with Identity Theft Prevention Regulations

BOSTON - November 14, 2008 - The Office of Consumer Affairs and Business Regulation (OCABR) today extended the deadline for compliance with standards for how businesses protect and store consumers' personal information.

Recognizing that the majority of breaches involve the theft of portable devices and that data encryption significantly neutralizes consumer risk if information is lost or stolen, the regulations issued in September call on businesses to encrypt documents sent over the Internet or saved on laptops or flash drives, encrypt wirelessly transmitted data, and utilize up-to-date firewall protection that creates an electronic gatekeeper between the data and the outside world and only permits authorized users to access or transmit data.

The regulations were initially set to take effect on January 1, 2009, but in light of intervening economic circumstances, OCABR has extended the deadline in order to provide flexibility to businesses that may be experiencing financial challenges brought on by national and international economic conditions.

"These sensible measures are already widely used by many Massachusetts companies, but we recognize that some businesses, currently facing economic uncertainties, will benefit from having additional time to comply," said Undersecretary of Consumer Affairs and Business Regulation Daniel C. Crane. "The action taken today serves to provide flexibility to businesses working to implement the necessary measures to safeguard their customers' personal information in a timely manner."

The new deadlines are as follows:

  • The general compliance deadline for 201 CMR 17.00 has been extended from January 1, 2009 to May 1, 2009. The date is consistent with a new FTC Red Flag Rule, which requires financial institutions and creditors to develop and implement written identity theft prevention programs. Businesses addressing the new FTC requirements can now address the state regulations during the same time frame.
  • The deadline for ensuring that third-party service providers are capable of protecting personal information and contractually binding them to do so will be extended from January 1, 2009 to May 1, 2009, and the deadline for requiring written certification from third-party providers will be further extended to January 1, 2010. This tiered deadline for requiring certification will ensure proper consumer protection and facilitate implementation without overburdening small businesses during harsh economic times.
  • The deadline for ensuring encryption of laptops will be extended from January 1, 2009 to May 1, 2009, and the deadline for ensuring encryption of other portable devices will be further extended to January 1, 2010. Many data breaches reported to date relate to laptops, and laptops are more easily encrypted than other portable devices such as memory sticks, DVDs and PDAs.

OCABR will continue its outreach and educational initiatives throughout the fall and winter to educate businesses about these important data protection and storage requirements and their respective deadlines.

To review OCABR's report on data breach notifications, a compliance check list, FAQs and other information related to identity theft prevention, please visit .