In response to feedback received at a public hearing held in September, the Massachusetts Office of Consumer Affairs and Business Regulation has released what it purports to be final regulations under Massachusetts’ “Act Relative to Security Freezes and Notification of Data Breaches,” which was enacted in Jul 2007.

Regulation 201 CMR 17.00 (“Standards For The Protection of Personal Information of Residents of  the Commonwealth”) was previously amended in August in response to industry backlash.

This week’s final amendments make very few changes to the regulations that were released in August:

  • The regulations apply to persons who “store” personal information in addition to those who receive, maintain, process, or otherwise have access to personal information
  • Service Providers include persons who “store” personal information through their provision of services directly to a person that is subject to the regulations (in addition to those who receive, maintain, process, or otherwise are permitted access to personal information)
  • The express carve-out of the U.S. Postal Service from the definition of “Service Providers” has been removed
  • The amendments clarify that Service Provider agreements that are entered into before March 1, 2010 do not have to be amended to comply with the regulations until March 1, 2012.

The March 1, 2010 effective date of the regulations has not changed.