On March 1, 2010, new personal information protection standards took effect in Massachusetts. The standards are published at 201 CMR 1700 and establish requirements for anyone who owns or licenses personal information about a resident of the state of Massachusetts — regardless of whether the information is maintained in written or electronic form.
Under the regulations, anyone who owns or licenses personal information about a Massachusetts resident must “develop, implement and maintain” a comprehensive, written information security program. The written information security program:
must contain[ ] administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.
The standards require that the written program include many additional elements, including:
- designating one or more employees as responsible for maintaining the program;
- imposing disciplinary measures on employees who violated the policy; and
- requiring third party service providers to implement and maintain appropriate security measures for personal information.
The standards also contains specific protocols for electronically stored personal information.
Several companies have developed software products to assist with masking of electronically stored personal information. These include DMSuite from Axis Technology LLC, and products from Grid-Tools. These products will not allow data holders to avoid developing an information security plan. However, tools like these can be a useful feature of a plan when it is developed.