What it covers: This Massachusetts law--which went into effect March 2010--works to protect the state's residents against fraud and identity theft. It requires that any business that stores or uses personally identifiable information about a Massachusetts resident develop a written, regularly audited plan to protect this information. It takes a risk-based approach--rather than a prescriptive one--to information security. That means it directs businesses to establish a security program that takes into account the business size, scope, resources, nature and quantity of data collected or stored and the need for security rather than requiring the adoption of every component of a stated program.
More about Mass 201 CMR 17 and data breach notification
Who is affected: Businesses that collect and retain personal information of Massachusetts residents in connection with the provision of goods and services or for the purpose of employment.
Link to the law: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
Key requirements/provisions: Key requirements of the regulation include the following:
* A documented information security program, detailing technical, physical and administrative measures taken to safeguard personal information.
* Encryption of personally identifiable information -- a combination of a name, Social Security number, bank account number or credit card number--when stored on portable devices, such as laptops, PDAs and flash drives, or transmitted wirelessly or on public networks.
* Selection of third-party service providers that can properly safeguard personal information.
* Designated employees charged with overseeing and managing security procedures in the workplace, as well as continuously monitoring and addressing security hazards.
* Limits on the collection of data to the minimum required for the intended purpose.
* Computer system security requirements, including secure user authentication protocols, access control measures, system monitoring, firewall protection, updated security patches and security agent software and employee education and training.
Source: Commonwealth of Massachusetts Office of Consumer Affairs
Nevada Personal Information Data Privacy Encryption Law NRS 603A