Massachusetts Data Protection Regulation
Tight Data Security Laws in Massachusetts
One of the nation’s most stringent data security laws, the Massachusetts Data Protection Regulation (MA 201 CMR 17) was once a trailblazing piece of legislation. When enacted, it marked the first time a government body mandated the use of a specific technology to enforce privacy regulations. Massachusetts requires that businesses encrypt all transmitted personally identifiable information (PII) of their customers.
Not only does this law apply to Massachusetts businesses; it applies to any firm conducting business with any resident of Massachusetts, including third-party vendors. In effect, any company that wants to sell anything to a resident of the nation’s 13th largest economy must adopt these measures.
The First Straw
The regulations were ushered in on the heels of the most significant data breach in history at the time. In 2007, TJX Companies, based in Framingham, Mass., announced a data breach in which hackers exposed at least 45.7 million credit and debit card holders to identity fraud.
As a result of this catastrophic data loss, this new law was designed to protect consumers on three fronts:
- To insure the security and confidentiality of customer information,
- To protect against anticipated threats or hazards to the security or integrity of such information,
- To protect against unauthorized access to or use of such information that may result in, substantial harm or inconvenience to any consumer.
Since 2011, there have been plenty of other major breaches, including several that broke the 100 million exposed record mark such as Heartland, eBay and Adobe.
Yet the Massachusetts law is much more than an encryption mandate. Encryption is only a part of an overall information security plan that businesses must develop. Other computer system requirements include: secure user authentication protocols, secure access control measures, reasonable monitoring of systems, and up-to-date software.
Beyond system requirements, businesses are also accountable for making sure that their human resources can implement and maintain these programs. Businesses must: 1) designate one or more employees to maintain the security program, 2) provide ongoing employee training, and 3) develop security policies for employees relating to the storage, access, and transportation of records.
However, according to the Commonwealth, these safeguards should be appropriate to the size of the business, the amount of resources available to that business, and the amount of sensitive data stored. Essentially, the law requires businesses to put forth their “best effort” to ensure certain types of data are protected to the best of their ability.
If a public data breach does occur, the application of this law will hinge on the answer to the question, “Did you do everything within your power to protect this information?” To some extent, this nebulous definition can lead to legal debates of technical possibilities versus financial burden.
Businesses Are Culpable for Third Parties
In addition, businesses are also responsible for the security practices of any third-party vendors that may have access to the PII of their clients. Companies subsequently must take “reasonable steps” to select third-party service providers that maintain appropriate security measures.
Intronis is a Massachusetts-based cloud backup and recovery provider that already employs these strict security measures. Our partners who resell our cloud backup solution in Massachusetts, Nevada, and throughout North America are assured that their clients’ data is safe, and that our methods are in compliance with the law. Intronis encrypts the data we store twice — at rest when in our mirrored data center and in transit.
Even before data is transported to our mirrored data centers, it is encrypted using 256-bit AES security — a more stringent level of security than even cloud banking institutions use. Intronis’ data centers —located thousands of miles apart — have biometric controlled access, 24/7 monitoring, and backup generators.
The Bottom Line
Although Massachusetts and Nevada were the first states to enact strict data laws, much of the nation has followed suit in more recent years. In fact, Alabama, New Mexico and South Dakota are the only three states lacking any type of data protection or breach notification law. All signs point to the impending passage of a standardized national law to govern these matters, while international statutes are already in place and accelerating.
It is simply good business practice to go above and beyond the call of compliance and take every precaution to safeguard all data. Companies who are proactive in protecting their data will be better positioned to retain their clientele and attract new prospects as fears of breach continue to flourish.
Would you like to know more?
Standards for Protection of Personal Information of Residents of The Commonwealth