Massachusetts’s new data security regulations, effective March 1, 2010, currently set forth the country’s most stringent requirements for protecting data. Extending beyond what is required by other states, Massachusetts specifies that, for example, covered entities, including exempt organizations, must implement a written information security program and must encrypt personal information that will be transmitted over the Internet, or that is kept on laptops and other portable devices. Out-of-state exempt organizations working with Massachusetts residents should determine whether they have to comply with these new regulations.