On March 1, 2010, new standards went into effect in Massachusetts for the protection of personal information in both paper and electronic records. Mass. CMR Section 17.00 applies to all persons that own or license personal information about a resident of the Commonwealth.
Every person that owns or licenses personal information about a Massachusetts resident is now required to develop, implement, and maintain a comprehensive WRITTEN information security program and physical safeguards that are appropriate to the individual business and the amount and type of personal data maintained. The regulation applies to those "engaged in commerce", i.e. those who collect and retain personal information in connection with the provision of goods and services or for the purposes of employment. Businesses are required to designate an employee to maintain the security program, to institute policies for safeguarding personal information, and to establish and maintain a secure computer/electronic system to the extent the personal information is stored electronically, including firewall and encryption capabilities. Important to those of us operating largely over the internet is the concept that any personal information transmitted wirelessly must be encrypted to bring about a "transformation of data into a form in which meaning cannot be assigned", meaning that the data must be altered into an unreadable form. Password protection alone is not sufficient and would not satisfy the encryption standard.
The new rule adopts a risk-based approach to information security, directing a business to establish a written security program that takes into account the particular business' size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security.
The state Office of Consumer Affairs and Business Regulation developed a compliance checklist to assist small businesses comply with these regulations. These can be found at http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf.