Login/Logout About AIM Contact AIM Join AIM Press Room
Member CenterGovernment AffairsBusiness & Economic InformationManagement & HR ServicesTraining, Seminars & Events
Home Home Page

Image

AIM Resource Page: Massachusetts Data-Breach Regulations

Massachusetts employers face a broad new set of regulations governing the way in which they safeguard customer and employee data. The regulations affect all employers and may require operational and technological changes for employers having custody of personal information, including employee records.

AIM offers this Resource Page as a one-stop source for information, updates and events.

Seminars

Data Regulations 'Finally Final;' Is Your Company Prepared?

Is your company prepared to comply with the recently finalized Massachusetts data privacy regulations? Time is running out. Join AIM for a series four seminars in January to learn what you must do to meet the toughest-in-the-nation standards by March 1.

January 26 | Plymouth
8:30-11:30 a.m.

 January 26 | Milford
1:30-4:30 p.m.
January 28 | Leominster
8:30-11:30 a.m.		 January 28 | Boston
1:30-4:30 p.m.

Join AIM at the Information Security Summit in Springfield

AIM is among the sponsors for a free.daylong conference in Springfield on the new Massachusetts Data Security Law and what it means to your business.

January 27 | Springfield
8:30 a.m. - 4:30 p.m.

Register

News

Regulators Finalize Toughest-in-Nation Data Security Regulations
(November 4, 2009)

State regulators announced finalized comprehensive new rules governing the way in which employers and others maintain the privacy of personal information. The final regulations (201 CMR 17.00) contained several changes, including one pertaining to contracts signed with third-party data companies prior to the March 1, 2010 regulation effective date. Filing of the final regulations ends more than two years of debate among AIM, state officials and consumer groups.

Data Regulations - Executive Summary

AIM Backs Alternative Data-Privacy Law
(Posted May 12, 2009)

AIM testified this week in favor of an alternative data-security law that would address the problem of identity theft without imposing economically damaging and unrealistic regulations on employers. AIM believes the bill represents a better approach than the one taken by the complex and confusing 2007 data-security law that will cause compliance issues for almost every Massachusetts company next year.

Learn More

Business Coalition Letter to Secretary Bialecki:
(Posted April 2, 2009)

On Thursday April 2, 2009 The Business Coalition urged Secretary Gregory Bialecki to engage in a substantive dialogue with industry experts, Department of Consumer Affairs and Business Regulation, the Legislature and the Office of the Attorney General. The coalition noted that the administration's changes in the effective date of compliance as "good". Regrettably, the other amendments to the regulations are inadequate or simply do not address the substantive issues that are still cause for great concern. Simply delaying the compliance deadline does not solve these substantive problems.

Read the Business Coalition's Letter (April 2, 2009)
Read the Business Coalition's Letter (January 16, 2009)
Read the written comments and transcript from the January 16, 2009 Public Hearing
Read the Office of Small Business and Entrepreneurship "Small Biz Brief" on ID Theft

Bulletin: Regulators Postpone Data-Security Regulation

(Posted February 13, 2009)

Massachusetts consumer regulators Thursday postponed implementation of new data-security rules until January 1, 2010 and amended a controversial section of those rules governing security practices of third-party vendors. The proposed regulations have generated a firestorm of criticism from business on the grounds that they are impractical and ineffective.

The Massachusetts Office of Consumer Affairs and Business Regulation filed the amended regulations with the Secretary of State Thursday evening.  Key amendments include a delay in the general effective date of the data regulations until January 2010 and changes to the standard for third party vendor relationships.  AIM will continue to analyze these regulations and work with the administration regarding many of the outstanding concerns with the regulations.

“AIM is pleased with actions taken yesterday by the Office of Consumer Affairs & Business Regulations to file with the Secretary of State several amendments to proposed data security regulations that include a delay in the general effective date of compliance from May 1st to January 2010" said AIM President and Chief Executive Officer Richard C. Lord.

"While AIM and its members believe that the protection of personal information is a necessary activity and an integral part of every business model, as currently written the initial set of proposed regulations (201 CMR 17.00) went beyond the Legislature’s intent by proscribing highly prescriptive mandates that did not take into consideration the national and global business relationships that Massachusetts firms depend upon. 

"During the period ahead, AIM and its members will continue to monitor and work closely with the Office of Consumer Affairs & Business Regulations to insure that the final version of data security regulations that will ultimately impact every employer in the Commonwealth including the public sector are technically and economically feasible.”

As of today the following sections of the rules have been altered:

  • Section 17.03 (6) Duty to Protect and Standards for Protecting Personal Information – Changes the standard for third party vendor relationships. The amended regulations for this standard are below: 

“Taking all reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.00; and taking all reasonable steps to ensure that such third party service provider is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17.00.”

  • Section 17.04 Computer Security Requirements Limit the requirement for encryption to personal data transmitted over public networks or wireless communications.
  • 17.05 Effective Date– Changes extend the general effective date of the regulations from May 1, 2009 to January 1, 2010.

Read the amended regulation
Read the Press Release

Business Urges New Approach on State Data Regulations
(Posted Friday January 16, 2009)

AIM and a coalition of 70 employers and business associations urged the state Thursday to go back to the drawing board to develop workable regulations to prevent data breaches and identity theft. Joining with employers such as Verizon, Wal-Mart, Microsoft and AOL, AIM said the current regulations contain requirements that are not technically or economically feasible. State officials plan a hearing on the matter this afternoon.

Learn More - Read the State House News Article
Learn More - Read AIM's Testimony
Learn More - Read the Business Coalition Letter
Learn More - Read AIM's Press Release

State Schedules Hearing on Privacy Compliance Dates
(Posted December 3, 2008)

The Massachusetts Department of Consumer Affairs and Business Regulation will conduct a public hearing on January 16 to consider rules extending the dates by which employers must comply with the strictest data privacy law in the country. AIM encourages member companies to submit oral or written testimony. Please contact Brad MacDougall for more information.

Learn More

AIM: Use Federal Data Privacy Standards
(Posted November 19, 2008)

AIM told a legislative hearing that state data-security regulations due to take effect next year are based upon faulty assumptions about technology and business operations. The association asked the state to adopt federal standards instead.

Learn More

Patrick Administration Postpones Implementation of Regulations
(Posted November 14, 2007)

The Patrick Administration announced Friday that it will postpone implementation of new rules governing the manner in which companies maintain personal data on customers and employees. AIM applauded the decision, which moves implementation of some parts of the regulations from January 1 to May 1, and others from January 1, 2009 to January 1, 2010. 

Learn More

Business Groups Ask Governor to Postpone Regulations
(Posted October 24, 2008)

October 24, 2008 - AIM and almost three dozen other business organizations and companies asked Governor Deval Patrick Thursday to postpone new regulations governing the manner in which companies safeguard the customer and employee data they keep. The business groups believe that companies cannot implement the complex new regulations by the January 1 deadline.

Learn More

Links

AIM Resource Center & Key Documents
AIM's Executive Summary of 93H Law
Office of Consumer Affairs and Business Regulation
Office of the Attorney General
Find or Advertise your business services on AIM's Buy Mass Directory

More Information

Bradley MacDougall
Associate Vice President, Government Affairs
617.262.1180
bmacdougall@aimnet.org

Lynda Slevosky
Vice President, Employer's Resource Group
617.262.1180
lslevoski@aimnet.org