Understanding the Nuances of the Massachusetts Data Privacy Law

Personal data protection laws continue to expand across borders and industries in light of the increasing number of security breaches companies are experiencing worldwide. To stem the tide of confidential customer information theft, Massachusetts enacted comprehensive data security legislation, typically referred to as the Massachusetts data privacy law.

In this article, we’ll discuss the nuances of the Massachusetts data security laws and how they can impact your business.

What is the Massachusetts Data Privacy Law?

Massachusetts has long been known among U.S. states for its innovation regarding privacy and data security.  MA privacy laws became notable in 2009 for their strict personal data safeguarding measures.

Recently, Massachusetts data security regulations received an enhancement under the Standards for the Protection of Personal Information of Residents of the Commonwealth (the Safeguards Regulation). These amendments resulted in tougher privacy laws in Massachusetts than in any other state.

The central law of Massachusetts data privacy laws is the Safeguards Regulations. This set of mandates outline specific requirements businesses must fulfill to protect residents' personal data.

Do Massachusetts Data Privacy Laws Apply to My Business?

The Safeguards Regulation is not sector-specific and not limited to businesses located in or conducting business in Massachusetts. Rather, it applies to any business that deals with the personal information of Massachusetts residents.

The Mass privacy law covers both paper and electronic records. So, if you own or license personal information from residents of the Commonwealth, these laws apply to you.

However, according to Payment Card Industry standards, organizations that rely only on credit card swipe technology and data batch processing are also exempt. This exemption is because they don't have actual custody or control over personal information.

What is Personal Information?

Personal information has been explicitly defined under the Massachusetts data protection law. It includes a resident’s:

  • First and last names

  • Social Security number

  • Driver's license or state-issued identification number

  • Financial account number

  • Credit or debit card number

Under the Massachusetts data security law concerning credit card or financial account numbers, this data is protected with or without any required security code, PIN, or password that would permit access to the resident's financial account.

An exemption to the personal information classification is information obtained lawfully from public government records or other publicly available sources.

Massachusetts Standards: Setting the Bar High

Massachusetts privacy law is one of the nation’s strictest policies about personal information, as it takes a risk-based approach to information security. Companies are tasked with implementing a written information security program (WISP), under which they should consider "its scale, scope, amount of capital, nature, and quantity of data collected or stored, and the need for security."

The law does not create an all-encompassing solution. Small businesses that do not store or move vast volumes of personal information are permitted to follow less stringent criteria for their WISPs. However, some requirements for WISPs include:

  • Appointing individuals to oversee the robust information management program.

  • Developing a technique for detecting and avoiding security system failures.

  • Developing strong security policies for employees regarding the collection, storage, access, and transportation of records and personal information outside of the physical business location.

  • Developing and enforcing disciplinary procedures against individuals who violate the information security program.

  • Preventing terminated employees from accessing confidential details by revoking access privileges upon termination.

  • Assisting and supervising service providers or service organizations, requiring them to adhere to the client business's personal information security measures.

Additionally, the Commonwealth of Massachusetts data protection laws establish security standards for organizations' computer systems, which must include at a minimum the following:

  • Protocols for secure user authentication, including lock-out measures after unsuccessful log-in attempts.

  • Encryption of all transmitted documents and data.

  • Reasonable surveillance systems.

  • Encryption of all personal information stored on laptops and other portable devices.

  • Firewall defense that is reasonably current.

Using a Third-Party Provider

Another feature of the Massachusetts data privacy law that requires attention is the requirement that all third-party service providers maintain adequate security measures to protect personal information in accordance with the Massachusetts Standards and any applicable federal regulations. This service provider provision is modeled after the FTC's Safeguards Rule.

In this law, contracts signed between businesses and providers prior to March 1, 2010, are not necessary to contain such commitments. However, companies must take "reasonable steps" to select service providers capable of maintaining such security measures.

This requirement will almost certainly impact third-party services' price, as service providers must introduce additional protections, including encryption technologies, to comply with the legislation.

Enforcement and Penalties

The Attorney General of Massachusetts will be responsible for enforcing the Massachusetts Standards. For any breach of the regulation, regulators can bring actions for injunctive relief and civil penalties of up to $5,000 per violation (plus fair costs of prosecution and litigation).

Enforcement is less likely against companies who react quickly and thoroughly to a security incident. If you do suffer a penalty, your best plan is to demonstrate the incident was an accident and show compliance with industry-standard data protection practices.

The Attorney General's office will weigh the specifics of the violation, including:

  • The number of Massachusetts people who may have been affected.

  • Evidence of deliberate criminal theft.

  • The size of the company and its resources.

  • The adherence to the business's WISP.

  • The technological feasibility of enforcing measures to avoid the breach when deciding whether to take enforcement action.

Move Data Compliantly with Delphix

Privacy laws, such as GDPR, CCPA, and Massachusetts data privacy law, are constantly changing and becoming more stringent. Delphix is the only solution that seamlessly integrates masking and automated delivery of compliant data.

If you want to learn more about compliance best practices, learn how Delphix provides an API-first data platform enabling teams to find and mask sensitive data for compliance with privacy regulations.