The Massachusetts data security breach law and proposed regulations have triggered extensive discussions and debate over the past year.  The issues and concerns raised resulted in extension of the compliance dates for the law.  However, although significant modifications have recently been made under the leadership of the new Undersecretary for Consumer Affairs, Barbara Anthony, substantial compliance with the law will soon be required (March 1, 2010) – and required by many organizations that are not aware that the new requirements apply to them, particularly nonprofit organizations and smaller businesses.

We thought it would be helpful to offer a summary of key provisions and guidance on ensuring compliance with what has been called the “toughest-in-the-nation” data protection law and corresponding regulations.

In general, nonprofit organizations, wherever located, that employ or serve Massachusetts residents are subject to the new and far-reaching Massachusetts data security regulations.  The regulations set forth standards that must be met by any non-governmental entity that owns or licenses personal information about a resident of the Commonwealth.  While the proposed regulations were recently revised to include a “risk-based” approach – a shift indicating that Undersecretary Anthony has listened to widespread criticism of the regulations, particularly from small business leaders, and understands their impact – compliance will still present significant challenges that entities of all sizes will have to consider.