One of the features of the new Massachusetts Data Privacy Law is that it forces some knowledge management on companies in the context of data breaches.
Since the law required compliance on or before March 1, 2010, I assume you already have the policy and safeguards in place. That is, if you have social security numbers or financial account information for any Massachusetts resident in your computer systems or files. Yes, the reaches beyond the borders of Massachusetts and is not limited to Massachusetts companies.
201 CMR 17.03(h) and (i) require regular monitoring of your program and a periodic review of its scope.
201 CMR 17.03(j) goes on to require that you document any responsive actions, have a post-incident review and document any changes to your program after the review. That sounds a lot like knowledge management to me.
The Office of Consumer Affairs and Regulation has published a handy 201 CMR 17.00 Compliance Checklist (.pdf). You should also review and be familiar with the law itself contained in 201 CMR 17.00 Standards for the Protection of Personal Information (.pdf).
Image is by Darwinek in Wikimedia Commons: Flag Map of Massachusetts
