New Massachusetts Regulations to Mandate Comprehensive Information Security Requirements

goodwinprocter_logo

Goodwin Procter LLP published a summary of the New Massachusetts Regulations to Mandate Comprehensive Information Security Requirements.

The regulations have broad coverage, applying to all entities that own, license, store or maintain personal information about residents of the Commonwealth of Massachusetts, regardless of whether or not the entity has operations in the Commonwealth. Federally regulated financial and other entities are not exempt from the Massachusetts regulations, raising the question of whether entities that are in compliance with Gramm-Leach-Bliley, HIPAA and/or SEC information security requirements will be considered to meet the new Massachusetts requirements. Significantly, “personal information” has a somewhat limited scope, and is defined as a resident’s first and last name or first initial and last name in combination with a Social Security number, driver’s license number or financial account number. The regulations impose two principal requirements: (i) the duty to develop, implement and maintain a very comprehensive written information security program that meets very specific requirements; and (ii) the obligation to meet specific computer information security requirements.

Author: Doug Cornelius

You can find out more about Doug on the About Doug page

One thought on “New Massachusetts Regulations to Mandate Comprehensive Information Security Requirements”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.