The Massachusetts data security breach law and proposed regulations have triggered extensive discussions and debate over the past year.  The issues and concerns raised resulted in extension of the compliance dates for the law.  However, although significant modifications have recently been made under the leadership of the new Undersecretary for Consumer Affairs, Barbara Anthony, substantial compliance with the law will soon be required (March 1, 2010) – and required by many organizations that are not aware that the new requirements apply to them, particularly nonprofit organizations and smaller businesses.

We thought it would be helpful to offer a summary of key provisions and guidance on ensuring compliance with what has been called the “toughest-in-the-nation” data protection law and corresponding regulations.

In general, nonprofit organizations, wherever located, that employ or serve Massachusetts residents are subject to the new and far-reaching Massachusetts data security regulations.  The regulations set forth standards that must be met by any non-governmental entity that owns or licenses personal information about a resident of the Commonwealth.  While the proposed regulations were recently revised to include a “risk-based” approach – a shift indicating that Undersecretary Anthony has listened to widespread criticism of the regulations, particularly from small business leaders, and understands their impact – compliance will still present significant challenges that entities of all sizes will have to consider.

The regulations apply to any entity that owns or licenses “personal information,” which is defined by the regulations as a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following: (a) Social Security number; (b) driver’s license number or state-issued identification card; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.  By virtue of this broad definition, nonprofit entities must ensure that any such information related to its employees, clients or customers is adequately protected.


The current regulations enable persons covered by the regulations to tailor their information security programs to their size, scope, type of business, resources, amount of personal information and need.  These changes were primarily intended to ease the burden of the regulations on entities like nonprofits that may not handle a significant amount of personal information, or may not have the resources to develop a sophisticated security program.

Nonetheless, nonprofits which own or license personal information of Massachusetts residents must take appropriate safeguards to protect this information. For example.

  • They must develop, implement and maintain a written information security program that designates an employee for maintenance purposes.
  • To ensure that its employees are aware of and comply with the regulations and are capable of detecting and preventing security system failures, they must train their employees, including temporary or contract employees, regarding practices related to storage and access to personal information, in addition to transportation of records containing personal information outside of the entity’s premises. In addition, any employee who violates the regulations must be disciplined as deemed appropriate, and terminated employees must not have access to records containing personal information.
  • They must take reasonable steps to select and retain third-party service providers that are capable of protecting personal information, and must require their third-party service providers by contract to implement and maintain appropriate security measures for personal information.
  • Electronically stored or transmitted personal information, to the extent technically feasible, must be protected by secure user authentication protocols and secure access control measures. In addition, electronic systems must be maintained with appropriate and updated security software, and systems that are connected to the internet must contain up-to-date firewall protection, reasonably designed to maintain the integrity of personal information. Importantly, personal information transmitted across public networks, wirelessly, or in any portable device, must be encrypted.
  • Regular monitoring must be conducted, including identification and assessment of reasonably foreseeable internal and external risks to security. In addition, they must document actions taken in connection with any breach of security related to personal information and, following such breach, must make any necessary changes in its business practices to ensure protection of personal information.

A public hearing was held in Boston on September 22, 2009 on these regulations.