Office of Consumer Affairs files revised ID theft regulations

Issue March 2009

New personal information security for consumers begins Jan. 1, 2010


The Office of Consumer Affairs and Business Regulation filed revised identity theft regulations that will preserve the privacy of consumers by increasing the level of security on personal information held by businesses and other entities.

The regulations will take effect Jan. 1, 2010, and mandate that personal information — a combination of a name along with a Social Security number, bank account number or credit card number — be encrypted when stored on portable devices or transmitted wirelessly or on public networks. Encryption of personal information on portable devices carrying identity data like laptops, PDAs and flash drives must also be completed by Jan. 1, 2010, and will ensure better protection of personal information.

“It is time for businesses and other holders of personal information to ensure that consumers’ information is kept safe,” said Daniel C. Crane, the undersecretary of the Office of Consumer Affairs and Business Regulation. “These new safeguards are fundamental standards that will keep information safer and will help businesses reinforce a vital sense of trust with customers.”

The regulations are a product of the identity theft prevention law signed by Gov. Deval Patrick. In keeping with the administration’s commitment to protecting consumers, Patrick signed an executive order last September requiring all state agencies to implement security measures consistent with the requirements in the regulations.

Since November 2007, there have been more than 450 reported cases of stolen or lost personal information that have affected nearly 700,000 Massachusetts residents. The regulations are the first of their kind in the country, and had originally been scheduled to take effect on Jan. 1, 2009. A sharp change in the business climate, along with the business community’s increased understanding of what is required to protect their customers’ identity, led to the new date.

“Businesses are becoming more aware of the urgency of this issue. To achieve the full benefit for consumers as quickly as possible, it’s worth making sure every business in the state has time to make the necessary changes to comply with these regulations,” Crane said. “We understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections.”