Massachusetts Massachusetts has widely been regarded as the gold standard for data security laws. Massachusetts requires any company that owns or licenses personal information from residents of the state to develop, implement, and maintain a comprehensive written policy that creates proper administrative, technical, and physical safeguards for consumer information. Massachusetts follows a “sliding scale” approach, allowing a smaller business with limited customer information to develop a policy that works to protect their data, but does not require costly investments in software or other technical safeguards. The regulations require encryption of any data relating to a Massachusetts resident transmitted across a public network, as well as encryption (not just password protection) of any customer data on a portable device. The State of Massachusetts makes available a “Compliance Checklist” that guides a business through the process of creating and implementing a comprehensive Written Information Security Program (WISP). Massachusetts data privacy laws and regulations require all persons that own or license personal information of Massachusetts residents to: [D]evelop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope, and type of business of the person obligated to safeguard the personal information... (b) the amount of resources available to such person, (c) the amount of stored data, and (d) the need for security and confidentiality of both consumer and employee information. [201 Mass. Code Regs 17.03(1)]. These Massachusetts regulations require policies that include training of employees, identifying media and records that contain personal information, monitoring, and verifying and requiring that third party service providers comply with the Massachusetts regulations.
123
Made with FlippingBook - Online Brochure Maker