Massachusetts Data Privacy and Security Laws Impact Companies Across U.S.

Wide ranging state privacy and security laws enacted in Massachusetts are likely to impact the policies, practices, procedures, contracts and training used by companies nationwide.

By Bart Lazar

Thu, November 06, 2008CIO Massachusetts has enacted data privacy and data security regulations that will make it eke out California for the most wide ranging state privacy and security laws—laws that are likely to impact the policies, practices, procedures, contracts and training used by companies nationwide. The Massachusetts Office of Consumer Affairs and Business Regulation determined that there was a significant need for set of comprehensive standards that ensure businesses are taking practical steps to safeguard personal information. While many of these practices are probably adopted by most companies in some way, shape or form—now a laundry list of minimum standards will be required. And, since it may be impractical for a company to treat information collected from Massachusetts residents differently than others—many companies across the country will need to look holistically at their data privacy and security programs across the country to make sure that they meet the requirements of Massachusetts standards.

Beginning on January 1, 2009, all businesses that collect personal data from or about Massachusetts residents will need to adopt a comprehensive written security program, conduct internal and external security reviews and complete employee training regarding their programs. While the efficacy of a security program will be determined based on the relative size of a company and the type and amount of data a company maintains, the standards clearly state that a security program needs to contain, at a minimum:

  • Designate one or more employees to maintain the security program.
  • Identify and assess the internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information.
  • Evaluate current safeguards and means for detecting and preventing security system failures.
  • Implement and evaluate ongoing employee training (which must include temporary and contract employees) .
  • Implement and evaluate employee compliance with policies and procedures.
  • Develop security policies that set forth whether and how employees should be allowed to keep, access, and transport records containing personal information outside of business premises.
  • Discipline employees for violating program rules.
  • Prevent terminated employees from accessing records containing personal information by immediately terminating access.
  • Take reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information, including:
    • Selecting and retaining service providers that are capable of maintaining safeguards for personal information (i.e., conducting due diligence)
    • Contractually requiring service providers to maintain a security program that complies with the Standards
    • Limiting the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected; limiting the time such information is retained to that reasonably necessary to accomplish such purpose; and limiting access to those persons who are reasonably required to know such information in order to accomplish such purpose or to comply with legal requirements
  • Require an audit/inventory to identify paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to determine which records contain personal information, unless the security program provides for the handling of all records as if they all contained personal information.
  • Implement reasonable restrictions upon physical access to records containing personal information, including a written procedure that sets forth the manner in which physical access to such records is restricted; and storage of such records and data in locked facilities, storage areas, or containers.
  • Regularly monitor to ensure that the security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrade information safeguards as necessary to limit risks.
  • Review the scope of the security measures on at least an annual basis or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
  • Document incident responses involving a breach of security, and changes in business practices resulting from the incidents.

regulation
Loading...
Security MarketSpace
Practical Approaches for Securing Web Applications
Enterprises understand the importance of securing web applications to protect critical corporate and customer data. What many don't understand, is how to implement a robust process for integrating security and risk management throughout the web application software development lifecycle. Learn more »
Smart techniques for application security: whitebox + blackbox security testing.
An Executive's Guide to Web Application Security
Since so many Web sites contain vulnerabilities, hackers can leverage a relatively simple exploit to gain access to a wealth of sensitive information, such as credit card data, social security numbers and health records. It's more important than ever to examine your Web application security, assess your vulnerability and take action to protect your business. Learn more »
Web Application Vulnerabilities
Security managers may work for midsize or large organizations; they may operate from anywhere on the globe. But inevitably, they share a common goal: to better manage the risks associated with their business infrastructure. Increasingly, Web application security plays a significant role in achieving that goal. Learn more »
Lower the Cost and Complexity of a Mobile Workforce through Automation
 Lower the Cost and Complexity of a Mobile Workforce Learn more »
Retooling IT for a Mobile Workforce
Check out this research note from IDC for guidance. Learn more »
Today's Risky Data Environment
This paper explains how an IT and security service provider can provide a practical, manageable and reliable solution. Learn more »
Business Continuity - Are You Always Open for Business?
This Oracle business brief explains how mid-sized can improve performance by creating an IT infrastructure that makes working faster, easier and more effective. Learn more »
 
SPONSORED LINKS
 

Making Consumer Two-Factor Authentication Simple and Cost-Effective

Mining the Cloud to Ease the Enterprise Compliance Burden

Solve Five Key IT Security Challenges with Cloud-Based Authentication

White Paper: Managed Security for a Not-So-Secure World

Secure Email and Web-Based Communication from Evolving Attacks

WagerWorks Takes Fraudsters Out of the Game using iovation

White Paper: A Security Blueprint Delivered From within the Network

Return on Information: Google Enterprise Search pays you back

Cut Costs & Green Your IT Operations with PC Power Management

White Paper: 4 Customer Service Myths

White Paper: Improve Agility with Operational Responsiveness

White Paper: Legacy Tools: Not Built for the Helpdesk

Taking a Seat at the Executive Table: The Reality of Virtualization

White Paper: Next Generation Remote Infrastructure Management

Seven Design Requirements for Web 2.0 Threat Protection

Increase UPS efficiency without sacrificing protection.

Learn how advanced forecasting tools can deliver significant business results for global corporations.

Lower IT Costs with Oracle Database 11g Release 2

White Paper: Visibility and the New Normal of Mobile Work

Taking the Service Desk to the Next Level

Learn about The Information Technology Infrastructure Library.

Return on Information: Google Enterprise Search pays you back. Get the facts.

VMware. The source for Business Infrastructure Virtualization.

ShoreTel tells businesses to untangle from competitors' complexity and turn to its brilliantly simple UC solution

Top Five CIO Challenges

Authentication as a Service by Forrester Research

Cloud-Based Authentication for Next-Generation Extranets

Mobile Security: The Essential Ingredient for Today's Enterprise

IDC White Paper: CCM for IT Compliance and Risk Management

Keeping Your Members Safe from Online Scams and Predators

Learn about the growing threat of insider data theft.

Upgrading to VMware vSphere with vWire

Maximizing website Return on Information with high-quality search

See how AT&T can help protect your network.

Webcast: Unleashing the Power of Customer Data

White Paper: 5 Best Practices for Smartphone Support

Global Research: CIOs Weigh In On Virtualization

5 Key Virtualization Management Challenges

The Total Economic Impact of Network Security Intrusion Prevention

Generation Remote Infrastructure Management - Changing the Paradigm

Cloud-Based Email Management: Opinion Shifts In Favor

eBook: How Can You Make Your People Productive Anywhere?

Achieving Business Agility with Application Grid

Ready to virtualize tier one applications? Check your virtualization maturity.

Seven Ways ITIL Can Help You in an Economic Downturn

Tips for successful virtualization management.

AT&T Synaptic Storage as a Service. Expand on demand

Trend Micro ranked #1 against real-world malware. Read more.

Webinar: Jump-start your in-house e-discovery with Ringtail QuickCull from FTI Technology

Streamline IT Costs. Boost Performance with WAN Optimization.

 
 
RESOURCE CENTER
 
buy a link »
Ads by TechWords