Oh - about that deadline ...

[[Seen on Telecom Digest]]



http://www.mass.gov/?
pageID=ocapressrelease&L=3&L0=Home&L1=Business&L2=Identity
+Theft&sid=Eoca&b=pressrelease&f=081114_IDTheftupdate&csid=Eoca

November 14, 2008 - For immediate release:

Business Community Given Additional Time to Comply with Identity  
Theft Prevention Regulations

BOSTON - November 14, 2008 - The Office of Consumer Affairs and
Business Regulation (OCABR) today extended the deadline for compliance
with standards for how businesses protect and store consumers'
personal information.

Recognizing that the majority of breaches involve the theft of
portable devices and that data encryption significantly neutralizes
consumer risk if information is lost or stolen, the regulations issued
in September call on businesses to encrypt documents sent over the
Internet or saved on laptops or flash drives, encrypt wirelessly
transmitted data, and utilize up-to-date firewall protection that
creates an electronic gatekeeper between the data and the outside
world and only permits authorized users to access or transmit data.

The regulations were initially set to take effect on January 1, 2009,
but in light of intervening economic circumstances, OCABR has extended
the deadline in order to provide flexibility to businesses that may be
experiencing financial challenges brought on by national and
international economic conditions.

"These sensible measures are already widely used by many Massachusetts
companies, but we recognize that some businesses, currently facing
economic uncertainties, will benefit from having additional time to
comply," said Undersecretary of Consumer Affairs and Business
Regulation Daniel C. Crane. "The action taken today serves to provide
flexibility to businesses working to implement the necessary measures
to safeguard their customers' personal information in a timely
manner."

The new deadlines are as follows:

* The general compliance deadline for 201 CMR 17.00 has been
   extended from January 1, 2009 to May 1, 2009. The date is consistent
   with a new FTC Red Flag Rule, which requires financial institutions
   and creditors to develop and implement written identity theft
   prevention programs. Businesses addressing the new FTC requirements
   can now address the state regulations during the same time frame.

* The deadline for ensuring that third-party service providers are
   capable of protecting personal information and contractually binding
   them to do so will be extended from January 1, 2009 to May 1, 2009,
   and the deadline for requiring written certification from third-party
   providers will be further extended to January 1, 2010. This tiered
   deadline for requiring certification will ensure proper consumer
   protection and facilitate implementation without overburdening small
   businesses during harsh economic times.

* The deadline for ensuring encryption of laptops will be extended
   from January 1, 2009 to May 1, 2009, and the deadline for ensuring
   encryption of other portable devices will be further extended to
   January 1, 2010. Many data breaches reported to date relate to
   laptops, and laptops are more easily encrypted than other portable
   devices such as memory sticks, DVDs and PDAs.

OCABR will continue its outreach and educational initiatives
throughout the fall and winter to educate businesses about these
important data protection and storage requirements and their
respective deadlines.

To review OCABR's report on data breach notifications, a compliance
check list, FAQs and other information related to identity theft
prevention, please visit
http://www.mass.gov/?
pageID=ocatopic&L=3&L0=Home&L1=Business&L2=Identity+Theft&sid=Eoca


--
The war on privilege will never end. Its next great campaign will be  
against the privileges of the underprivileged. H. L. Mencken


**********************************************************************
For Listserv Instructions, see http://www.lawlists.net/cyberia
Off-Topic threads: http://www.lawlists.net/mailman/listinfo/cyberia-ot
Need more help? Send mail to: Cyberia-L-Request@...
**********************************************************************