Massachusetts Extends Deadline for Businesses to Encrypt Data

The Commonwealth of Massachusetts has extended by at least four months a deadline for businesses to electronically encrypt digital records of their customers’ personal information.

The new regulations – which had been issued in September and scheduled to go into effect Jan 1, 2009 – apply to any documents sent through the Internet or stored on computers and other portable electronic devices by businesses.

The law follows a several years-long string of high profile data breaches by both private and government entities, the majority of which involved the theft of portable devices, such as laptops.

Encrypting data is a methof of effectively neutralizing the risk that electronic information can be accessed by someone unauthorized to view it.

The general deadline for businesses to comply with the new regulations is now May 1, 2009. In addition, some rules – such as those requiring written certification from third party service providers, and for encrypting portable devices other than laptops – has been extended to Jan 1, 2010.

The decision, to extend the deadline was made because of the economic downturn, according to a report issued by the Office of Consumer Affairs and Business regulation.

“These sensible measures are already widely used by many Massachusetts companies, but we recognize that some businesses, currently facing economic uncertainties, will benefit from having additional time to comply,” said Undersecretary of Consumer Affairs and Business Regulation Daniel C. Crane, in a release. “The action taken today serves to provide flexibility to businesses working to implement the necessary measures to safeguard their customers’ personal information in a timely manner.”