Enterprise, government and other organizations in Massachusetts have just more than one month to bring their data protection practices in line with some of the strictest rules throughout the United States, or face fines and a variety of other sanctions for non-compliance.
As technology news provider Computerworld recently reported, most of the provisions of Massachusetts General Law Chapter 93H have already gone into effect. The final part of the bill covers third-party service providers and will start being enforced on March 1.
The law was enacted in 2010 in an effort to protect Massachusetts residents from data breaches and other forms of data loss. Under the bill, every organization that owns or licenses personal data concerning state residents – whether the business itself is within Massachusetts or not – is required to implement and maintain data security practices to ensure information is reasonably protected.
The bill lays out several ground rules pertaining to data protection. For example, organizations must designate at least one employee to maintain the "comprehensive information security program," which should include measures to identify and assess internal and external threats against electronic, paper and other records containing personal information.
The regulations had been under intense scrutiny even before the bill was passed. The law was supposed to go into effect in January 2009, but was delayed for more than a year and saw several modifications during that time.
According to Computerworld, the final provision dealing with third parties was one of the most contentious elements of the bill. The law requires companies to include language within their contracts with service providers to ensure that vendors have "reasonable restrictions" for protecting the personal information of Massachusetts residents.
Socheth Sor of Edwards Wildman Palmer told Computerworld that companies will not be required to audit their third-party vendors, but they should have language within their contracts that would allow them to do so. Contracts must also require third parties to notify companies of any data breaches immediately.
The bill also lays out a number of requirements pertaining to computer system security. Such provisions include the encryption of all personal information stored on portable devices and laptops, data access controls and the monitoring of systems containing sensitive data.
Last September, Massachusetts Attorney General Martha Coakley revealed that nearly one out of three state residents has had his or her personal information compromised since early 2010, according to the Boston Globe. Between January 2010 and August 2011, approximately 2.1 million Massachusetts residents were affected by either data theft or loss.
Coakley, who noted that her office had received 1,166 data breach notices in that time frame, said the problem was likely to get worse before getting better, as companies continue to store more personal information on their networks.
"There is going to be more room for employee error, for intentional hacking. This is going to be an increasing target," Coakley said, according to the Globe.
One significant breach occurred in the spring of 2011, when as many as 1,500 computers housed by the state's Departments of Unemployment Assistance and Career Services were infected by the W32.QAKBOT virus. According to the Massachusetts Executive Office of Labor and Workforce Development, some 1,200 employers could have been affected by the breach, compromising the personal information of thousands of state residents.
Though the Massachusetts data breach law may be stricter than others in the United States, the continued threat of data theft and loss highlights the need for better data security practices. As more and more personal information is stored online, organizations must bring their data protection measures in line with various regulations to ensure that citizens are reasonably safe from the effects of data breaches and other threats.
Security News from SimplySecurity.com by Trend Micro