Here is an informational article on the Massachusetts Data Privacy law, effective March 1, 2010. Source: CIO Magazine. "all businesses that collect personal data from or about Massachusetts residents will need to adopt a comprehensive written security program. Unlike most state-based data privacy laws, which focus primarily on public disclosure once a breach occurs, the new Massachusetts law prescribes that more stringent protective measures be taken to prevent breaches from occurring in the first place. "
Interesting to note the following insightul comments about this law being more actionable and posing certain challenges as a result. "The Massachusetts law is more actionable than most data security regulations as it prescribes specific technical measures that must be taken to protect Personally Identifiable Information (PII), hence it forces businesses to become proactive in securing technology. Many of the measures outlined in the bill are actions that companies should already be taking, such as ensuring that the enterprise is adequately protecting PII. While this initiative seems intuitive and straight-forward, it has proven to be challenging for many organizations.
The new regulations require companies to limit the amount of data they collect, maintain a written security policy and keep a detailed inventory of all personal data and where it is stored. The regulations also require any business that handles sensitive personal information on citizens of the Commonwealth of Massachusetts to encrypt that data as it is transmitted via the Internet or stored on external mobile devices such as laptops, USB drives and other mobile storage equipment. "
*** Credits and source: CIO Magazine