Data Privacy Regulation

Massachusetts will soon implement a first-in-the-nation data privacy regulation – a sweeping set of rules which will impact the customer security practices of every company doing business in Massachusetts. The Chamber has been actively working with business and government leaders on this critical issue since 2008.

The regulation [201 CMR 17.00] implemented by the Office of Consumer Affairs and Business Regulation (OCABR) has a March 2010 general compliance date and calls for a sweeping new set of standards for employers who own or license personal information about a Massachusetts resident.  Those standards – including data encryption, record inventory, and third-party vendor requirements – were amended in August 2009 to reflect a risk-based, scalable approach to compliance, rather than a one-size-fits-all security plan. The most recent revisions were made in November 2009 and included minor language clarifications.

The Chamber has been working closely with the Patrick Administration and OCABR, the Attorney General's office, the Legislature, and business representatives to successfully secure key regulatory revisions and implementation delays designed to:

1. Lower costs,
2. Mitigate operational impacts, and
3. Facilitate compliance for companies of all sizes. 

Despite these revisions, the new regulation will demand material changes in business practices along with ongoing financial and resource investments by Massachusetts companies of all size and industry.  Yet ensuring data protection is a goal shared by all – and the Chamber believes this issue can be addressed without significantly impacting the competitiveness of the state.  In the months ahead, the Chamber will continue working with government and business leaders to:

• Advance the shared goals of secure customer data and a competitive business climate, and
• Increase education and preparedness among our members and the broader business community for complying with these forthcoming customer data requirements.

If your company has specific questions regarding this regulation, please contact OCABR at (617) 973-8700.  For additional information about the Chamber’s work on this issue, please contact Tim Sweeney, director of public policy, at (617) 557-7357.

Chamber Resource Links:

• Chamber Testimony:
  – May 12, 2009 before the Joint Committee on Consumer Protection and Professional Licensure
  – January 16, 2009 before the Office of Consumer Affairs and Business Regulation
  – November 19, 2008 before the Joint Committee on Consumer Protection and Professional Licensure
• Coalition Letter:
  – January 15, 2009
• President’s Update:
  –  January 20, 2009

OCABR Resource Links:

• Standards for the Protection of Personal Information of Residents of the Commonwealth [201 CMR 17.00] – final, as amended 11/4/09
• Frequently Asked Questions 
• Press Releases   
  – November 4, 2009  
  – August 17, 2009
• Identity Theft Main Page