After several delays and revisions, the Massachusetts information security regulations, entitled “Standards for the Protection of Personal Information of Residents of the Commonwealth,” will take effect on March 1, 2010. The regulations apply to entities that own or license personal information about Massachusetts residents. “Personal information” is defined as a combination of a resident’s first and last name and Social Security number, driver’s license or state ID number, or financial account number or payment card number that permits access to the individual’s financial account.
The regulations require entities to develop, implement and maintain a written, risk-based information security program that takes into account the entity’s size, nature of its business, types of records it maintains and the risk of identity theft posed by the entity’s operations. Also set out in the regulations are numerous administrative, technical and physical safeguards that the required information security program must include.
Finally, the regulations require covered entities to take steps to select and retain service providers that are capable of appropriately safeguarding personal information. Covered entities must contractually require their service providers to safeguard personal information in accordance with the Massachusetts regulations and applicable federal requirements; provided, however, that service provider contracts entered into no later than March 1, 2010, are exempt from complying with this requirement until March 1, 2012.
View the Massachusetts regulations.