Governor Patrick signed Executive Order 504 an order regarding the the Security and Confidentiality of Personal Information on September 19, 2008. This order revokes the earlier Executive Order 412.
There are also new state regulations 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth (effective Jan. 1, 2009) implementing M.G.L. c. 93H.
The Executive Order applies to state agencies. It goes further to require all contractors with the state to comply with the requirements. Even further it requires those contractors to require the contractors to require their subcontractors to also comply with the requirements.
The regulations apply to every person that “owns, licenses, stores or maintains personal information about a resident of the Commonwealth.” The regulations require:
“a comprehensive, written information security program applicable to any records containing such personal information. Such comprehensive information security program shall be reasonably consistent with industry standards, and shall contain administrative, technical, and physical safeguards to ensure the security and confidentiality of such records.”
The regulations also require a designation of “one or more employees to maintain the comprehensive information security program.” Sounds like another task for the Chief Compliance Officer.
Thanks to Lee Gesmer of the Mass Law Blog for pointing this out: New Massachusetts Rules on Identity Theft.