The Massachusetts Office of Consumer Affairs and Business Regulation has provided guidance regarding its new regulations requiring all entities that own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts to develop, implement and maintain a comprehensive written information security program and make specific computer information security requirements. I mentioned the regulations, which have a January 1, 2009 compliance date, previously: New Massachusetts Privacy Laws, Privacy and Security Alert: Massachusetts Has New Data Security Regulations, Massachusetts Regulations to Mandate Comprehensive Information Security Requirements.
The newly issued guidance consists of the following:
- Frequently Asked Questions
http://www.mass.gov/Eoca/docs/idtheft/idbreachfaqs.pdf - Small Business Guide for Formulating a Comprehensive Written Information Security Program
http://www.mass.gov/Eoca/docs/idtheft/sec_plan_smallbiz_guide.pdf - Compliance Checklist
http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf