Do you conduct online credit card transactions with a Massachusetts resident? Do you collect social security or financial account numbers on a Massachusetts resident? If you answered yes to either of these questions then this law affects you. It does not matter where your company is located; once you touch Massachusetts Residents information this new law effects you.
In October 2008, the Commonwealth of Massachusetts introduced sweeping new regulations to protect the "personal information" of its residents. Unlike the data breach notifications laws enacted by most states (including Massachusetts), these regulations were not confined to situations where data is already compromised. Instead, the regulations impose a comprehensive new regime designed to prevent data breaches.
The regulations apply to any entities that handle Massachusetts residents' Social Security, credit card or financial account numbers, meaning virtually all Massachusetts businesses and many businesses outside of the Commonwealth are affected.
As of May 1, 2009 any company which stores personal information must have the needed security parameters in place. The Massachusetts Office of Consumer Affairs & Business Regulation ("OCABR") issued "Standards for Protection of Personal Information for Residents of the Commonwealth" (Regulation 201 Mass. CodeRegs 17.00). This new regulation represents one of the most far-reaching information security and related compliance requirements in the country.
Massachusetts now has the broadest data security regulations in the country. These regulations - which cover businesses inside and outside of Massachusetts - require the development and implementation of a comprehensive and detailed information security program.
Satisfying the new regulatory requirements will not simply be a question of allocating resources. It demands a dedicated and well-planned program/project-based effort.
The new law talks about many specific requirements including secure access to this type of sensitive PPI data regardless of where the data sits in system, servers and/or applications.
Here's the link to the new MA regulation (pdf).
NY has also recently put out their version of this law (Data Protection specify related to application Security), the questions that begs to be answered is how many states are next to put in place these extra data protection requirements. The bottom line is data protection continues to become a "front and center" initiatives for many states and this trend is only going to gain momentum. Business should start thinking about their own data protection controls around network, systems and application and quickly establish a baseline. Many of the steps needed to support these extra data protection requirements echo core PCI, HIPPA and other regulation requirements. This can be bad for many businesses still looking to establish compliancy to these already existing regulatory. This now just adds yet more support to get this done as quickly as possible.