April 15, 2010, 3:04 PM — The Massachusetts Data Privacy law, effective as of March 1, 2010, states that all businesses that collect personal data from or about Massachusetts residents will need to adopt a comprehensive written security program. Unlike most state-based data privacy laws, which focus primarily on public disclosure once a breach occurs, the new Massachusetts law prescribes that more stringent protective measures be taken to prevent breaches from occurring in the first place.
The Massachusetts law is more actionable than most data security regulations as it prescribes specific technical measures that must be taken to protect Personally Identifiable Information (PII), hence it forces businesses to become proactive in securing technology. Many of the measures outlined in the bill are actions that companies should already be taking, such as ensuring that the enterprise is adequately protecting PII. While this initiative seems intuitive and straight-forward, it has proven to be challenging for many organizations.
The new regulations require companies to limit the amount of data they collect, maintain a written security policy and keep a detailed inventory of all personal data and where it is stored. The regulations also require any business that handles sensitive personal information on citizens of the Commonwealth of Massachusetts to encrypt that data as it is transmitted via the Internet or stored on external mobile devices such as laptops, USB drives and other mobile storage equipment.
Companies working to ensure they are compliant with the law face many similar challenges, but also numerous issues that vary depending on industry and company size. Many enterprises face the issue of understanding the information flow as it pertains to PII and where within the environment this data is stored, if indeed it is stored within the company's environment and not with a third party organization. In the past, this was more straight-forward as most organizations tended to store data on databases in data centers or, in the worst case, on desktop and laptops. This has become more challenging with the widespread deployment and adoption of mobile based devices, remote and portable storage, in addition to acceleration of cloud and virtualization based technologies and services.