software or other technical safeguards. The regulations require encryption of any data relating to a Massachusetts resident transmitted across a public network, as well as encryption (not just password protection) of any customer data on a portable device. The State of Massachusetts makes available a “Compliance Checklist” that guides a business through the process of creating and implementing a comprehensive Written Information Security Program (WISP). Massachusetts data privacy laws and regulations require all persons that own or license personal information of Massachusetts residents to: [D]evelop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope, and type of business of the person obligated to safeguard the personal information... (b) the number of resources available to such person, (c) the amount of stored data, and (d) the need for security and confidentiality of both consumer and employee information. [201 Mass. Code Regs 17.03(1)]. These Massachusetts regulations require policies that include training of employees, identifying media and records that contain personal information, monitoring, and verifying and requiring that third party service providers comply with the Massachusetts regulations. Specific technical safeguards are identified such as secure authentication protocols, secure access control measures, and encryption of personal information stored on laptops and mobile devices or any files or records that contain personal information and that may be transmitted across a public network. A Minnesota business may have to pay attention to these Massachusetts data security laws and regulations if they collect any personal information of a Massachusetts resident.
130
Made with FlippingBook - Online Brochure Maker