While your company may not be physically or operationally doing business in Massachusetts, you should know about the recently enacted Massachusetts Data Protection Law (Massachusetts 201 CMR 17). This law should interest you for two reasons:

  • Your company is subject to this law if it handles or stores the personal information of any Massachusetts resident; and
  • The law establishes certain requirements of a security program that your company should consider implementing, regardless of where you do business.

These regulations finally went into effect on March 1, 2010. The law requires that every person or business that has the "personal information" of a Massachusetts resident develop, implement and maintain a "comprehensive information security program." Among the specific requirements that a company must have addressed as part of its information security program, it must include, without limitation:

  • Adoption of a written information security program.
  • Appointment of someone accountable for the information security program.
  • Adoption and implementation of comprehensive security policies and training of employees thereon.
  • Encryption of personal information across public networks and when transmitted wirelessly.
  • Encryption of portable devices that store personal information, where reasonable and technically feasible.
  • Encryption of backup tapes on a prospective basis.
  • Limitation of the amount of personal information collected, the length of time the information is retained and the number of individuals who are permitted to access and use it.
  • Regular monitoring of the security program and an assessment of the security measures on an annual basis, or when there is a material change to the business practices of the company, whichever is earlier.
  • Requirements that third party service providers maintain appropriate safeguards, including contractual representations, respecting the protection of personal information.
  • Deployment of security system controls such as malware protection, patches and virus definitions that receive security updates on a regular basis.
  • Documentation of actions taken in connection with the occurrence of a security incident with lessons learned incorporated back into the security program.

Most other state, federal and international data protection laws currently provide limited guidance on what specific controls and measures an individual or organization should employ to protect personal information and to prevent security incidents. However, many security and privacy experts are predicting that more jurisdictions will start following Massachusetts' lead by adopting regulations that dictate specific security and privacy controls — as opposed to leaving the definition of "adequate safeguards" up to the discretion of each organization. Additionally, while implementing the specific security and privacy controls enumerated in the Massachusetts Data Protection Law does not guarantee that an organization will never suffer a privacy or security incident, it does establish a checklist of measures that regulators expect an organization to have implemented to meet a "reasonable standard of care." Implementing the specific programmatic security measures set forth in the Massachusetts Data Protection Law makes good practical and operational sense in terms of mitigating risk; but it also helps organizations establish the presumption that they are establishing adequate safeguards to protect data, and are not acting in a negligent or neglectful manner, should a security incident occur.