New Data Privacy and Security Standards Affect U.S. Businesses With Information About Massachusetts Residents

All U.S. Businesses with Data on Massachusetts Residents Will Need Written Information Security Programs, Including Policies, Contracts and Training, and Will Need to Meet Computer System Requirements

As forecasted in our One Minute Memo® from January 2008, Proposed Regulations Would Impact All Businesses With Personal Data On Massachusetts Residents, the Massachusetts Office of Consumer Affairs and Business Regulations recently adopted Standards for The Protection of Personal Information of Residents of the Commonwealth (“Standards”). The statute applies to any business that collects information regarding a Massachusetts consumer or employee, and establishes certain minimum privacy and security standards. Unlike other state and some federal data security laws, these Standards apply to paper as well as electronic records.

The Standards go into effect on January May 1, 2009¹, and require businesses to create a comprehensive written information security program. While the efficacy of a security program will be determined based on the relative size of a company and the type and amount of data a company maintains, the Standards clearly state that a security program needs to contain, at a minimum, the following: