Massachusetts data security breach law

Massachusetts’s new data security regulations, effective March 1, 2010, currently set forth the country’s most stringent requirements for protecting data. Extending beyond what is required by other states, Massachusetts specifies that, for example, covered entities, including exempt organizations, must implement a written information security program and must encrypt personal information that will be transmitted over the Internet, or that is kept on laptops and other portable devices. Out-of-state exempt organizations working with Massachusetts residents should determine whether they have to comply with these new regulations.

The Massachusetts data security breach law and proposed regulations have triggered extensive discussions and debate over the past year.  The issues and concerns raised resulted in extension of the compliance dates for the law.  However, although significant modifications have recently been made under the leadership of the new Undersecretary for Consumer Affairs, Barbara Anthony, substantial compliance with the law will soon be required (March 1, 2010) – and required by many organizations that are not aware that the new requirements apply to them, particularly nonprofit organizations and smaller businesses.

We thought it would be helpful to offer a summary of key provisions and guidance on ensuring compliance with what has been called the “toughest-in-the-nation” data protection law and corresponding regulations.

In general, nonprofit organizations, wherever located, that employ or serve Massachusetts residents are subject to the new and far-reaching Massachusetts data security regulations.  The regulations set forth standards that must be met by any non-governmental entity that owns or licenses personal information about a resident of the Commonwealth.  While the proposed regulations were recently revised to include a “risk-based” approach – a shift indicating that Undersecretary Anthony has listened to widespread criticism of the regulations, particularly from small business leaders, and understands their impact – compliance will still present significant challenges that entities of all sizes will have to consider.