Massachusetts' Revised ID Theft Regulations

Massachusetts Undersecretary of the Office of Consumer Affairs and Business Regulation Barbara Anthony today announced adjustments to Massachusetts' identity theft regulations that maintain protections and also reinforce flexibility in compliance by small businesses.
 
The updated regulations will take effect March 1, 2010. The regulations make clear that their approach to data security is a risk-based approach that is especially important to small businesses that may not handle a lot of personal information about customers. Under a risk-based approach, a business, in developing a written security program, should take into account its size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations.

 New language in the regulations recognizes that the size of a business and the amount of personal information it handles plays a role in the data security plan the business creates. The new language requires safeguards that are appropriate to the size, scope and type of business handling the information; the amount of resources available to the business; the amount of stored data; and the need for security and confidentiality of both consumer and employee information.

 For more information about identity theft protection, visit the Office of Consumer Affairs and Business Regulation website, www.mass.gov/consumer.