Massachusetts Data Security Laws

Regardless of where you do business in the United States, you already know that the security of your stored and transmitted private data is of paramount importance. However, individual states implement their own laws to ensure that this sensitive information is protected. Of all of them, the Massachusetts may have the most stringent requirements. Therefore, if you do business there, you need to learn about the Massachusetts data privacy law, more formally known as “Standards for the Protection of Personal Information of Residents of the Commonwealth” (or ma 201 cmr 17).

What Do The Massachusets Data Security Laws Involve?

The primary objective of these regulations is the protection of any data pertaining to residents of the Commonwealth of Massachusetts. In general, the law states that any organization that in any way handles this sensitive information must protect its Bay State clients from data breach by establishing written policies and security procedures. In addition, companies must keep a record of all data that they possess as well as maintain an inventory of where all electronic and hard copy data is stored. Any content that is stored on external devices or media such as flash drives or on the internet must be encrypted. 

Finally, organizations must have a strict set of policies, procedures and physical and technological protections in place to safeguard Massachusetts clients’ data, including stringent authentication standards that apply to anyone who is given access.

The Details of Massachusets Data Security Law

Massachusetts lawmakers have enacted some of the toughest regulations in the union in order to protect their residents from security breach incidents. The information security program that companies who store resident data must develop, implement and maintain needs to, in part, include the following:

  • The designation of specific personnel to oversee the program;
  • The creation of strategies to detect and prevent vulnerabilities and failures in the system;
  • The establishment of comprehensive rules and policies pertaining to storing, collecting, accessing and transporting of personal records offsite;
  • Coming up with and enforcing disciplinary policies against those who fail to comply with security policies;
  • The removal of access of terminated employees to sensitive information;
  • Ensuring that third-party service organizations and partners also follow the implemented security measures.

Any computer systems used by your organization must contain the following:

  • Secure access control and user account authentication;
  • Encryption of all transmitted files, including email;
  • Systems to monitor the security landscape;
  • Encryption of all data stored on portable devices such as laptops, tablets and flash drives;
  • Updated system technology, including firewall and anti-virus protection tools.

The Massachusetts privacy law is designed to shield the sensitive information of residents from numerous potential vulnerabilities that can be exploited in the networks and procedures of businesses. Compliance to this legal mandate is something that you need to address immediately if you wish to continue managing, storing or otherwise handling consumer data pertaining to the residents of this state.

Recent Changes To Massachusetts Data Protection Laws

As of April of 2019, the state’s data breach notification law has undergone a number of significant modifications with which affected organizations must comply. First, any company that is the victim of a data breach must provide affected customers with free credit freezes and credit monitoring. For most companies, this service must last at least 18 months; consumer reporting agencies must furnish it for 42 months. In either case, the company must document that the services are being offered.

The second requirement has to do with the specific content that must be contained in a breach notification. The Commonwealth’s rules already required affected organizations to notify the director of the Office of Consumer Affairs and Business Regulation (OCABR) and the Massachusetts attorney general as soon as it is reasonable after the incident has been discovered even if they are not yet sure how many people were affected. It must include the nature of the breach, the number of Massachusetts residents affected and what the organization is doing to correct the situation. Recent updates to the law now require the following additional facts:

  • Contact information, including the name and address of the entity that experienced the incident;
  • Name and title of the entity reporting the breach, who they are and how they are related to the affected company;
  • Specifics about the types of personal information compromised;
  • The entity or person at fault for the breach (if known);
  • The nature of the organization’s security policy and relevant updating procedures.

Finally, the OCABR must create a copy of the breach notice that was sent to consumers and post it online on their website. In addition, it must tell consumers how they can obtain a copy of the initial statement that the company sent notifying them of the breach.

This legislation could affect your company even if your headquarters are far away from the Bay State. If you are the victim of a data breach incident and even one of your customers resides in Massachusetts, you will be expected to comply with the standards. If you cannot demonstrate that you have a robust network of security protocols, systems and team members in place, your company needs to act now to upgrade and update your data safety infrastructure and services. This Massachusetts privacy law is more than guidelines; it is the law and is designed to protect the public. Take time to implement it, and your company will protect its customers and its bottom line.