Along with the appointing of a new Undersecretary of the Office of Consumer Affairs and Business Regulation there seems to be new impetus behind Senate Bill 173 which would weaken 201 CMR 17's technical requirements. It would add new language saying that "industry standard" security measures need to be in place and remove pretty much all of the specific requirements (encryption, secure passwords, firewalls, antivirus, etc). It would also say that industries which have existing privacy compliance standards (i.e. banks, HIPAA compliant health care organizations, etc) would be exempted from the law. At compliancehelp.net we are eagerly following the news, because we sell a very affordable compliance kit for small businesses in Massachusetts which includes easy-to-follow instructions and templates for all the required paperwork.