Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth (2010)
The Standards for the Protection of Personal Information of Residents of the Commonwealth states that entities must follow data protection standards to safeguard the personal information of Massachusetts residents.
Applies To:
- Any person that uses and stores personal information about Massachusetts residents as part of the sale of goods and services
- broad application
- does not apply to state agencies
- attempts to regulate businesses outside of Massachusetts by requiring businesses to encrypt the personal data of Massachusetts residents
- businesses typically must follow only the laws of the state where they are located
- causes a jurisdiction issue
- additional code law or case law will help specify
Requirements
- entities must protect personal information in both electronic and paper form
- must create an information security program
- must be a good fit for its size and scope
- must describe the administrative, technical, and physical controls that protect the personal information used by the entity
- program requirements are similar to those stated in the GLBA Safeguards Rule
- uses a risk-based approach
- allows the entity to review its resources and data use
- can review its needs for security and confidentiality
- can use the results of this review to determine the safeguards it should use
- As part of its program, an entity must:
- Assign an employee to manage the program
- Conduct a risk assessment to identify risks to the security, confidentiality, and integrity of information
- Review current safeguards to make sure that they are effective
- Develop policies for use of personal information off business premises
- Develop disciplinary policies for failure to follow the information security program
- Develop policies to keep terminated employees from accessing personal information
- Select service providers and make sure that any contract includes terms to protect personal information
- Develop policies to physically safeguard personal information
- Monitor and review the program to make sure it is effective
- Document actions taken in response to any security breach
- includes computer system security requirements:
- Secure user authentication
- Secure access control measures
- Encryption of all transmitted personal information that travels across public networks, and encryption of information to be transmitted wirelessly
- Reasonable monitoring of systems
- Encryption of all personal information stored on laptops or portable devices
- Up-to-date firewall protection and operating system security patches on computers containing personal information
- Virus and malware protection
- Security awareness and training activities
- entity does not have to apply requirements that are not technically feasible
- encryption requirements:
- encrypt the personal information of Massachusetts residents while it is stored on their systems
- must encrypt it when it is transmitted
- does not define a preferred method of encryption
- Under the standard, encryption is changing data into an unreadable form
Enforcement
- Massachusetts attorney general has the authority to enforce the data protection standard
Penalties
- civil penalties of up to $5,000 for each violation
- attorney general can also make an entity pay for the costs of an investigation into any violations
- can be charged attorneys’ fees