Other states with data privacy laws include:

Nevada: http://www.compliancebuilding.com/2008/10/29/nevada-law-on-privacy-of-personal-information/
New Hampshire: http://www.compliancebuilding.com/2010/01/15/compliance-bits-and-pieces-for-january-15/
New York: http://www.compliancebuilding.com/2008/12/10/six-states-now-require-social-security-nu/
New Mexico: http://www.compliancebuilding.com/2008/12/10/six-states-now-require-social-security-nu/
Michigan: http://www.compliancebuilding.com/2008/12/10/six-states-now-require-social-security-nu/
Texas: http://www.compliancebuilding.com/2008/12/10/six-states-now-require-social-security-nu/

If you have a Massachusetts client’s name and their social security number, then you are subject to this law. If you get a W-9 or tax filings or other filings through email and those filings have a Massachusetts client’s name and their social security number, then that means your laptop and blackberry need to be encrypted. Your document systems need to be secure and you need proper protocols in place.

Personal information, a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

Since Facebook does not collect SSNs or financial account info, I don’t think the kind of breach you mention is covered under the law.