Coming on the heels of several high profile data breaches, lawmakers in the Bay State have turned their attention to evaluating and improving cybersecurity across the Commonwealth. The State Legislature has created a special committee on cybersecurity readiness and is working its way through several bills on data privacy and security (see below). In addition, Governor Baker has established a new department devoted to information technology, titled the “Executive Office of Technology Services and Security.”

Current Regulations

The Commonwealth’s data security regulations are currently governed by 201 CMR 17.00. Taking effect in March of 2010, the “Standards for the Protection of Personal Information of Residents of the Commonwealth,” established minimum standards for safeguarding personal information (PI) of residents in both paper and electronic records. The standards require owners or licensees of PI concerning a resident to develop a comprehensive information security program. Standards for such programs are to take into account: “(a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.”

Special Senate Committee on Cybersecurity Readiness

In May, the Massachusetts Senate approved the creation of a special committee to improve cybersecurity readiness throughout the state. The “Special Senate Committee on Cyber Security Readiness,” is tasked with reviewing and making recommendations for the state to protect financial, medical, and other sensitive information, as well as to improve cybersecurity readiness and enhance responsiveness to public safety threats. The committee consists of Senators Michael Moore, Cynthia Creem, Michael Brady, Eric Lesser, and Ryan Fattman. Recommendations are due to the Senate by March 30, 2018.

Pending Cybersecurity Legislation

Several pieces of legislation regarding cybersecurity are pending this session:

  • HB3655: Establishing a nine-member panel to study/audit cybersecurity measures within government. agencies.
  • HB2814: Amending regulations on electronic security breaches, cybersecurity, and cybercrime. Also establishes a special commission to assess and review cyber threats and make recommendations for further legislation, risk response plans, and preventive measures.
  • HB2668: Requiring state agencies procuring IT goods or services to give preference to vendors carrying cybersecurity insurance.
  • SB179: Requiring the Department of Consumer Affairs and Business Regulation to adopt regulations safeguarding PII and personal data of state residents.

Executive Office of Technology Services and Security

Governor Baker established the Executive Office of Technology Services and Security in August. The office is tasked with centralizing the state’s IT services and reviewing/updating its security and data management procedures. The intention is to increase efficiency and security across state agencies. The office will be led by Mark Nunnelly, the former Commissioner of Revenue.