In an announcement released on Monday, August 17, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) amended its data security regulations for the third time. OCABR’s press release, and much of the press coverage,gives the impression that the amendments were limited in scope to an extended compliance date and a risk-based standard to alleviate the burden on small businesses. While the amended regulations include these changes, the regulations also include a number of additional substantive modifications that will have an impact on businesses that have been preparing to comply or are considering what steps to take to comply with the regulations. The regulations (and the previous revisions to the regulations) are described at greater length in earlier Morrison & Foerster Legal Updates (“New Massachusetts Regulation Requires Encryption of Portable Devices and Comprehensive Data Security Programs”, “Massachusetts Delays Effective Date of New Data Security Regulations”, and “Massachusetts Amends Burdensome Service Provider Oversight Requirements of New Data Security Regulations and Delays Compliance Date Again”).