Massachusetts extends deadline on data security rules again
Jaikumar Vijayan reports:
For the second time in three months, Massachusetts officials have pushed back the deadline for companies to comply with a controversial set of data security regulations that the state announced last September.
In addition to the deadline extension, which was announced late Thursday , the state’s Office of Consumer Affairs and Business Regulation (OCABR) also revised a key provision in the regulations that had prompted considerable concern within the business community both inside and outside of Massachusetts.[…]
As part of the revisions, state regulators also removed an especially contentious requirement mandating that companies get third parties with access to customer data to attest that they were compliant with the regulations as well. In addition, that provision also required third-party services providers to include language in their contracts specifying that they were willing and able to comply with the security rules.
Under the revised regulations, companies only have to take “reasonable steps” to verify that any third-party providers with access to personal data have the ability to protect the information through measures that are comparable to the ones spelled out by the OCABR.
Read more on Computerworld