A new Massachusetts data security regulation — the “Standards for the Protection of Personal Information of Residents of the Commonwealth” (.PDF) — has gone into effect as of March 1, 2010. The new regulation is intended to apply to any business that collects or retains personal information of Massachusetts residents.
Personal information, as defined under the regulation, includes a first name or first initial and last name in combination with any one of a (i) Social Security number; (ii) driver’s license number or state identification card number; or (iii) financial account or credit card number with access codes.
Differs From State Data Breach Notification Laws
Unlike the state data breach notification laws that have been adopted in most states, the Massachusetts regulation dictates with specificity how personal information and data should be stored and treated in the normal course of business. The regulation requires that businesses take proactive steps to protect the security of computerized and noncomputerized personal information.
Information Security Program
The regulation requires that each business implement a comprehensive, written information security program. Although the regulation generally states that the required complexity of the information security program is dependent on the size, scope, and type of business covered under the regulation, the regulation also specifically calls on covered businesses to, among other things:
- designate an employee to maintain the program
- identify and assess security risks
- develop security policies for the storage, access, and transportation of records outside of the business premises
- impose disciplinary measures for violations of the program
- prevent terminated employees from accessing records
- take procedural and contractual steps to oversee service provider maintenance of appropriate security measures
- take other specified protective and preventative measures
Computer System Security Requirements
The regulation outlines several computer system security requirements. To ensure compliance, any person, corporation, association, partnership, or other entity should analyze all of the technical requirements to ensure that its security measures comply. For example, the regulation requires:
- secure user authentication protocols
- secure access control measures
- encryption in certain circumstances
- monitoring processes
- firewall protection
- up-to-date security software
- education and training programs for employees regarding the business’s computer systems and methodologies implemented to protect personal information
While it has always been advisable to take steps to prevent a breach in security of personal information, all businesses that collect or retain personal information of Massachusetts residences should review the specific requirements of this new state regulation to ensure compliance.