Massachusetts Data Protection Law
201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth Massachusetts will require businesses which own, license, store or maintain personal information about a resident of the Commonwealth to follow comprehensive information security requirements. The goal is to safeguard personal information contained in both paper and electronic records. Any and all organizations with operations and/or customers in the state of Massachusetts must adhere to these standards by March 1, 2010.
In order to comply with the Computer System Security Requirements of this new Massachusetts Data Protection law, organizations must:
Control passwords to ensure they are kept in a location and/or format which will not compromise the security of the data they protect
Encrypt all personal information stored on laptops or other portable devices
Ensure reasonably up-to-date firewall protection and operating system security patches, designed to maintain the integrity of the personal information
Ensure up-to-date versions of system security agent software, which must include malware protection and up-to-date patches and virus definitions