10 Points
  Agenda
  Bankruptcies
  Briefcase
  Building Permits
  Chamber Corners
  Company Notebook
  Court Dockets
  DBA Certificates
  Incorporations
  People on the Move
  Picture This
  Real Estate
Subscriptions
Sales Department
Editor


Please enter a word or
a phrase

September 28,2009 Edition

Ten Points About : The Newly Amended Identity Theft Regulations

By AMY B. ROYAL, Esq.

1. On August 17, the state Office of Consumer Affairs and Business Regulations announced a new round of revisions to the identity theft regulations that are intended to be less onerous on smaller businesses and more consistent with federal law.
2. The regulation’s new effective date is March 1, 2010. This is the third time that these regulations have been extended.
3. The most dramatic change to the newest proposed set of regulations is the adoption of a “risk-based” approach to information security.
4. With the new risk-based approach, size matters. Under this new approach, businesses are permitted to take into account their particular size, scope, amount of resources, nature and quantity of data collected or stored and the need for security when creating and implementing their information-security program.

5. The changes in the regulations are especially important to small businesses that do not handle and store large amounts of personal information.

6. The regulations soften the requirements for businesses that only store personal employee information as opposed to those businesses that also store personal customer information.
7. The regulations clarify that they apply to “those engaged in commerce,” meaning those who collect and retain personal information in connection with the provision of goods and services or for the purpose of employment.
8. The computer security requirements of the new regulations apply to a business if they are technically feasible. This means that if there is a reasonable means through technology to accomplish the required result, then those reasonable means must be used.
9. Whether your business is small or large, your information security program must be in writing.

10. The regulations require encryption of portable devices where it is reasonable and technically feasible. The definition of encryption has been amended to make it technology neutral.
Although the regulations have again been delayed, it is still important to begin planning for compliance now, especially since the information security program must be developed, written and implemented, which includes training employees in the program, by March 1, 2010.

Amy B. Royal, Esq. is a partner in the law firm of Royal & Klimczuk, LLC. She specializes in management-side labor and employment law; (413) 586-2288 or aroyal@rkesq.com.