What is the Massachusetts data protection law?
The Massachusetts data protection law is legislation that stipulates security requirements for organizations that handle the private data of residents. The law is more formally known as "Standards for The Protection of Personal Information of Residents of the Commonwealth" (or 201 CMR 17.00). Similar legislation is under consideration in most other states.
The Massachusetts data protection law includes requirements for:
- Encryption of personal data.
- Retention and storage of both digital and physical records.
- Network security controls (firewalls, for example).
- Risk management policies and practices.
- Employee training.
- Adequate documentation of data breaches.
- Adequate documentation of any policy changes.
- Ensuring that any associated third-party providers who have access to the data maintain the same standards.
The Massachusetts data protection law replaces earlier legislation requiring organizations to notify individuals when a security breach put their data at risk. According to Daniel Crane, undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation, "Breach-notification laws deal with what happens after the horse leaves the barn." Crane says that 201 CMR 17.00 is intended "to prevent the horse from getting out of the barn in the first place."
Learn More About IT:
> The full text of Standards for The Protection of Personal Information of Residents of the Commonwealth is available from the OCABR website.
> In this podcast, Alex Howard interviews state officials about '201 CMR 17.00.'
> Brien M. Posey explains why encryption is no longer optional.