What's Happening in Massachusetts?
There's a new law - officially known as 201 CMR17.00 - Standards for the Protection of Personal Information of Residents of the Commonwealth.  The law establishes standards for organizations that store or maintain personal information about a resident of the Commonwealth (or State) of Massachusetts.  The purpose of the law is to (i) ensure the security and confidentiality of this personal information in a "manner consistent with industry standards, (ii) protect against anticipated threats or hazards to the security or integrity of the information, and (iii) protect against unauthorized access to or use of the information in a manner that creates a substantial risk of identity theft or fraud against such residents."  Massachusetts defines personal information as a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; It does not include any information that can be lawfully obtained from publicly available information, or from generally available federal, state or local government records. 
 
Right away you can see that this law - like the original California breach notification law - affects non-Massachusetts-based organizations.  You only need the record of one Massachusetts resident in your database to be affected by this law.   So what if you are affected?  Or what happens if similar laws start to spread to other states or countries?  Let's talk about why you should care about this law and what you'll need to do if you're affected.
 
Why you Should Care
While not as specific as the Payment Card Industry's Data Security Standards, unlike most data privacy laws - even the long-standing EU Data Protection Directive - this law dictates the use of specific protection mechanisms and other actions that should be taken to protect the private data.  For example, it requires that access to private data be restricted to only "those who need such information to perform their job duties".  In addition, it requires that the protection be addressed in a comprehensive manner.  It demonstrates this by requiring education and training of employees on the "proper use of the computer security system and the importance of personal information security" as well as the appointment of "one or more employees to maintain the comprehensive information security program".  Most laws just state the fact that data must be protected.  They don't dictate how the data is to be protected. 
 
The Cost of Non-Compliance
Beyond being the "right thing to do" to protect this data, another motivating factor for compliance with this law are the penalties.  This law is associated with the Massachusetts breach notification law (Massachusetts General Law 93H)  which allows for civil penalties to be levied.
 
Compliance Deadline
Fortunately, you have a few months if you must comply with the Massachusetts law.  The original date for compliance had been January 2009, then it was moved to May 2009 and is now set for January 1, 2010.  

More than two-thirds of small to midsize businesses admitted that human error or deliberate sabotage by their employees was the cause of a data breach at their companies, according to a new survey released today by Symantec.

 

And nearly 80 percent pointed to the loss of a device or backup tape as another breach source, indicating that malicious, clumsy, or forgetful employees are the cause of a huge amount of lost data each year.

 

So what are these companies doing to do to protect themselves?