In 2008, the Massachusetts Office of Consumer Affairs and Business Regulation introduced 201 CMR 17.00 which has become the gold standard of data protection laws.

“This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own or license personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.”

In other words, the regulation applies to every CPA firm that has an individual client or an employee that resides in Massachusetts. The original deadline for compliance was January 1, 2009.  This deadline was first extended until May 1, 2009 and was later extended until January 1, 2010.

Well, guess what? It has been extended yet again! On August 17, 2009, the Governor, Lieutenant Governor and Undersecretary issued a statement entitled Small-Business Considerations Reflected in Massachusetts’ Revised ID Theft Regulations. Included in the statement was the following:

The extension will help most businesses within the Commonwealth. However, I don’t think it will help many CPA firms. Tax season is not the time you want to worry about the complexities of this regulation. Long before winter hits, firms should review the regulation, determine how they impact the organization, and implement the technologies required to ensure compliance with the regulation.
If you have any questions about this new regulation or need help at your firm, please contact Barry MacQuarrie, CPA, at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .