Massachusetts Passes Aggressive New Data Security Law

April 29, 2010 at 7:16 pm Leave a comment

Do you own or license personal information about a resident of Massachusetts?  If so, then a new data security law, 201 CMR 17.00, applies to you.  You must develop, implement and maintain a comprehensive information security program that includes a security system covering computers, including any wireless system.  Among other requirements, you must ensure that, where technically feasible:

  • All data containing personally identifiable information (PII) must be encrypted on the wire and as its transmitted across public networks or wirelessly.  This means, for example, that PII must be sent over HTTPS, not HTTP and must be encrypted when stored in SQL Server.  This rule has significant implications for database applications.
  • All PII data stored on laptops or other portable devices, such as smartphones and USB drives must be encrypted.
  • Backup tapes must be encrypted on a prospective basis.

Penalties for noncompliance are enforced through Massachusetts General Law Title XV: Regulation of Trade, chapter 93A, section 4.  Civil money penalties may be assessed of up to $5,000 per breach or lost record, as well as reasonable costs of investigation and litigation, including attorneys fees.  Any data breach must be reported to both the Office of Consumer Affairs and Business Regulation and the Attorney General. 

The law became effective March 1, 2010 and can be found here:

Answers to Frequently Asked Questions regarding the rule can be found here:

Entry filed under: Privacy/Data Security.

Recent Federal Banking Regulator Rulemaking and Releases New and Improved BSA/AML Examination Manual

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Enter your email address to follow this blog and receive notifications of new posts by email.

Produced & Maintained By

Stinson Leonard Street Logo


A legal resource for Banking & Financial Services


%d bloggers like this: