The Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) has revised – for a third time – the regulatory scheme created to protect the personal information of Massachusetts residents. The deadline for compliance is now March 1, 2010.

The OCABR originally promulgated the regulations last Fall, mandating that those holding personal information about Massachusetts residents devise and implement specific, detailed policies to protect the security and integrity of that information. Virtually all Massachusetts businesses are covered, and the regulations also apply to entities outside the Commonwealth that hold Massachusetts residents’ Social Security numbers, credit card numbers, driver’s license numbers or financial account numbers.

The regulations have been controversial, particularly among members of the Massachusetts business community, who widely complained that they were inflexible, overly broad and expensive to implement.

The new version of the regulations appears aimed at addressing some of those concerns, while still adhering to the fundamental goal of requiring business practices that minimize the risk of future data breaches.

Among the more significant changes that were just announced: (1) the regulations now apply only to entities that own or lease “personal information,” and no longer extend to those who simply “store or maintain” it; (2) the regulations now adopt a more risk-based approach, addressing criticism that the former draft amounted to a one-size-fits-all mandate; and (3) the new regulations rework the language concerning third-party service providers, requiring contract language essentially obligating service providers to comply with the regulations, but grandfathering pre-existing contracts without such language during the first two years the regulations are in effect.