What changed in the latest "final" version of Massachusetts 201 CMR 17.00? Here's what I see (emphasis is mine):
Under 17.02, Definitions
"Owns or licenses: receives, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment."
became
"Owns or licenses: receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.
That's a big win, adding that little word stores to the mix.
Also in definitions:
"Service provider: any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation."
is now
"Service provider: any person that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation; provided, however, that “service provider” shall not include the U.S. Postal Service."
This just reflects the change in definition for those who store data, moving them from the "service provider" category to the "owns or licenses" group. The USPS exclusion seems redundant, the Commonwealth cannot impose regulations on federal agencies (especially that one).
17.03 (2)(f) 2 changed from
"Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that any contract a person has entered into with a third party service provider prior to March 1, 2012, shall be deemed to be in compliance herewith, notwithstanding the absence in any such contract of a requirement that the service provider maintain such protective security measures, so long as the contract was entered into before March 1, 2010."
to
"Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that until March 1, 2012, a contract a person has entered into with a third party service provider to perform services for said person or functions on said person’s behalf satisfies the provisions of 17.03(2)(f)(2) even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010."
And that's it. No more changes. See the previous version here for reference.
Jack