New information security requirements take effect in Massachusetts
In March, Massachusetts became the first state to implement specific information security requirements for those who conduct business in the state. The new rules apply to all entities that own, license, store or maintain personal information about a Massachusetts consumer or employee. Since it may be impractical for a company to treat information collected from Massachusetts residents differently than others, many companies will need to review their data privacy and security programs to make sure that they meet the new requirements.
Included in the data security standards are two provisions that have a broad impact across all types of industries. While many of the standards are similar to the requirements financial institutions must follow under the Gramm-Leach-Bliley Act, the new rules will require all types of businesses to comply. This requires many other businesses, such as retailers, that have not been required to follow certain standards to now adjust their data security policies.
Additionally, the standards broaden liability, as it requires entities to take reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information. The regulations neither impose any separate obligation to obtain certifications from third-party service providers that such third-party service providers are in full compliance with the regulations, nor require such third-party service providers to implement the specific protocols imposed on businesses under the regulations. As a result, businesses must perform due diligence to fully understand the data security processes used by vendors.