The New Massachusetts Data Security Regulations

goodwinprocter_logoGoodwin Procter sponsored a webinar on the new Massachusetts date security rules

Deb pointed out that you may now need to collect the state of residence of the client to figure out if they are in Massachusetts. That may have the perverse effect of collecting additional information about the person.

Deb points out that “financial account” is not well defined. She looks back to the statute and sees that it is focused on identity theft. If the “financial account” can lead to identity theft or the loss of money from that account then it would probably be a financial account.

In evaluating compliance you can include these factors:

  • size, scope and type of business,
  • entity’s resources,
  • amount of stored data, and
  • seed for security and confidentiality of both consumer and employee information.

Deb points out that the Massachusetts regulators think the rules align with the federal data breach notification requirements. The regulators also think the rules are merely applying more detailed requirements to the broad principles under the federal rules.

The regulators are deferring to the Attorney General for enforcement. The new rules do not provide a private right of action.

The Written Information Security Program has four main groups.


  • identify all records use to store information. The rules do not require an inventory. The regulators want you to know the answer. They suggest an information flow to see where information is gathered, where it goes and where it gets stored.
  • Identify and assess risk.
  • Evaluate and improve safeguards. This includes the security system and compliance training.
  • Limit collection and use. Personal information should only be available to those who need it and then only the information they need. Don’t gather it if you do not need it and don’t keep it if you do not need it.


  • designate a responsible employee
  • develop security policies
  • verify the capacity of service providers to protect personal information
  • The certification must specifically address the Massachusetts rules and must state that the signatory was authorized to sign it.

Technical and Physical

  • establish a security system
  • restrict physical access
  • prevent access by former employees
  • document responsive actions in event of data breach

Maintain and Monitor

  • post-incident review
  • disciplinary measures for violations
  • regular monitoring
  • annual review (if not more often)

Jacqueline Klosek focused on the computer system requirements. She put together specific requirements:

  • encryption – of stored information on portable devices and information in transit. Portable memory sticks are a big problem.
  • secure user authentication protocols
  • reasonable monitoring of systems
  • firewall
  • malware and virus protection
  • education and training

Agnes laid out 3 things to get done by May 1, 2009:

  • Implement internal policies and practices
  • encrypt company laptops
  • amend contracts with service providers to incorporate data security requirements

By January 1, 2010:

  • obtain written certifications form service providers
  • encrypt other portable devices (non-laptops)