Final Version of MGL 93H 201 CMR 17.00 Filed
OCABR (Massachusetts Office of Consumer Affairs and Business Regulation) on October 29th, 2009 filed the "Final" version of the "Standards for the Protection of Personal Information" also known as MGL 93H 201 CMR 17.00 with the Secretary of State's office. The first issue was in September of 2008, and after more than a year of amendments to the original regulations this is the final step before the regulation takes effect on March 1, 2010. The final regulations include some further clarifications than the amendment that was released in August of this year, but are substantially similar.
The latest revisions were written in response to requests from companies and business leaders that were looking for further clarification of the regulation.
Following are the changes:
Owns or licenses - adds the word "stores"
Service provider - adds the word "stores" and deletes the phrase provided, however that "Service provider" shall not include the U.S. Postal Service.
17.03 Duty to Protect and Standards for Protecting Personal information
Clarifies the language in section (2)(f)(2) relating to service provider contracts - A contract entered into with a third party service provider is deemed to be in compliance with this section until March 1, 2012, even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as the contract was entered into no later than March 1, 2010
"Definition of Owns or Licenses. A company owns or licenses personal information if it "receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment." The final regulations make clear for the first time that a company that "stores" the personal information of a Massachusetts resident is subject to the regulations' requirements, even if the company does not otherwise process or access such information.
Definition of Service Providers. A service provider is defined as "any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation." The final regulations eliminate a previous carve-out that had stated, "‘service provider' shall not include the U.S. Postal Service." It is not clear that the OCABR intends this change to mean that a company using the U.S. Postal Service to transmit personal information must contractually require the U.S. Postal Service to implement and maintain appropriate security measures for such personal information, as it must do with other service providers. But the OCABR has stated that a company must assess the risks of using a common carrier, including the U.S. Postal Service, to transmit personal information and take steps to protect that personal information.
Amending Existing Contracts with Service Providers. The final regulations clarify prior language related to a grace period for amending existing contracts with service providers so that such contracts require the service providers to implement and maintain appropriate security measures for personal information. The regulations now make clear that a company has until March 1, 2012 to amend existing contracts with service providers to include personal information security provisions, as long as the existing contracts were entered into before March 1, 2010. As before, service-provider contracts that the company entered into after March 1, 2010, must include personal information security provisions." 
For a copy of the most up to date Regulation please click here.
 David M. McIntosh, Lisa M. Ropple Christine Santariga
Ropes & Gray LLP Boston Office