Massachusetts Privacy Law (201 CMR 17)
In September 2008, Massachusetts enacted a new privacy law to protect the personal information of Massachusetts residents. If you do business with residents of Massachusetts or have employees that reside in Massachusetts, you must comply no later than January 1, 2010.
This new legislation affects all organizations who own, license, store, or maintain personal information of Massachusetts residents — regardless of the size or location of the business. And, organizations must verify that third-party service providers with access to personal information also comply with the new law.
The Massachusetts law is the first in the nation to require specific technology
when protecting personal information. Both stored information and information
moving over a public network, such as the Internet, that contain personal
information must be encrypted.
Personal information is defined as a Massachusetts resident's name in combination with one of the following:
-
Social Security number
-
Driver's license number or state-issued identification card number
-
Financial account number or credit/debit card number
RED Systems has produced two documents that may be helpful to your organization with dealing with this. The third link below is to a state document.
Massachusetts Data Privacy Law Frequently Asked Questions
Small Business Guide For Formulating A Comprehensive Written Information Security Program. (This is a good "Boilerplate" to use for creating a WISP)
