Browse Definitions :
Definition

Massachusetts data protection law

What is the Massachusetts data protection law?

The Massachusetts data protection law is legislation that stipulates security requirements for organizations that handle the private data of residents. The law is more formally known as "Standards for The Protection of Personal Information of Residents of the Commonwealth" (or 201 CMR 17.00). Similar legislation is under consideration in most other states.

The Massachusetts data protection law includes requirements for:

  • Encryption of personal data.
  • Retention and storage of both digital and physical records.
  • Network security controls (firewalls, for example).
  • Risk management policies and practices.
  • Employee training.
  • Adequate documentation of data breaches.
  • Adequate documentation of any policy changes.
  • Ensuring that any associated third-party providers who have access to the data maintain the same standards.

The Massachusetts data protection law replaces earlier legislation requiring organizations to notify individuals when a security breach put their data at risk. According to Daniel Crane, undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation, "Breach-notification laws deal with what happens after the horse leaves the barn." Crane says that 201 CMR 17.00 is intended "to prevent the horse from getting out of the barn in the first place."

 

Learn More About IT:
> The full text of Standards for The Protection of Personal Information of Residents of the Commonwealth is available from the OCABR website.

> In this podcast, Alex Howard interviews state officials about '201 CMR 17.00.'

> Brien M. Posey explains why encryption is no longer optional. 

This was last updated in July 2009

SearchCompliance

SearchSecurity

  • cyber attack

    A cyber attack is any attempt to gain unauthorized access to a computer, computing system or computer network with the intent to ...

  • backdoor (computing)

    A backdoor is a means to access a computer system or encrypted data that bypasses the system's customary security mechanisms.

  • post-quantum cryptography

    Post-quantum cryptography, also called quantum encryption, is the development of cryptographic systems for classical computers ...

SearchHealthIT

SearchDisasterRecovery

  • risk mitigation

    Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a business.

  • call tree

    A call tree is a layered hierarchical communication model that is used to notify specific individuals of an event and coordinate ...

  • Disaster Recovery as a Service (DRaaS)

    Disaster recovery as a service (DRaaS) is the replication and hosting of physical or virtual servers by a third party to provide ...

SearchStorage

  • cloud SLA (cloud service-level agreement)

    A cloud SLA (cloud service-level agreement) is an agreement between a cloud service provider and a customer that ensures a ...

  • NOR flash memory

    NOR flash memory is one of two types of non-volatile storage technologies.

  • RAM (Random Access Memory)

    RAM (Random Access Memory) is the hardware in a computing device where the operating system (OS), application programs and data ...

Close