In short: At this point, your 201 CMR 17 compliance plan should be added to your compliance program, your technical controls deployed (encryption, firewalls, etc.) and you need to select an independent 3rd party to conduct your audit.

Issued in September, the regulations require that businesses encrypt documents sent over the Internet or saved on laptops or flash drives, encrypt wirelessly transmitted data, and deploy up-to-date firewalls to create “an electronic gatekeeper” between the data and the outside world that only allows authorized users to access or transmit data.

Under the new deadline structure:

• The general compliance deadline for 201 CMR 17.00 is extended to May 1. The date is consistent with a new FTC Red Flag Rule requiring financial institutions and creditors to develop and implement written identity theft prevention programs.
• Third-party service providers now have until May 1 to prove they are capable of protecting personal information and are contractually obligated to do so. Meantime, the deadline for requiring written certification from third-party providers will be further extended to Jan. 1, 2010.
• The deadline to encrypt all laptops will be extended from Jan. 1 to May 1, and the deadline to encrypt other portable devices will be further extended to Jan. 1, 2010