Site Menu

Massachusetts privacy law gets some security standards to go along with it

By Jim Hietala
Published 11/20/2008

I guess this is what happens when you are the home state of TJX and BJ's Wholesale.

Massachusetts has passed a regulation that adds *significant* prescribed security controls in support of their data privacy regulation passed in 2007. The new regulations require (for businesses that process or store the PII of Massachusetts residents) security programs with these controls in place:

- written information security program
- passwords, encryption for laptops
- risk assessments
- security policies around records retention
- policies and procedures to prevent terminated employees from gaining access
- physical access control policies and procedures
- security incident response policies
- monitoring for unauthorized access
- encryption of PII on laptops and other portable devices
- encryption of PII data in transmission

Massachusetts sets the new high water mark for privacy legislation, and the degree to which they are prescribing specific security controls.

The regulation becomes effective 1/1/2009. Enforcement is up to the Massachusetts Attorney General, and the legislation applies to businesses anywhere that have MA residents in their databases.

Most of these security controls are best practices sorts of things, and they are the kinds of things that you see in GLBA, PCI DSS, ISO 27002, and other regulations and industry standards. So they shouldn't come as much surprise to large businesses. But the existence of this new state regulation adds to your risks if you get security wrong, and it should further help to justify security spending to management.

Jim

Jim Hietala

Jim Hietala, CISSP, GSEC, is Research Director and a principal of Compliance Research Group, providing research, analysis, and consulting services in the areas of compliance, risk management, and IT security. He is also the Vice President, Security for The Open Group, where he manages all security and risk management programs and standards activities.

Jim has provided research and consulting services to organizations such as SANS, The Open Group, and a number of IT security and compliance vendors. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several research whitepapers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

An industry veteran, he has held leadership roles at ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric Network, and Digital Pathways. He developed and launched the industry’s first remote access VPN service (Concentric RemoteLink) and encrypting ISDN router (at Network Express), and launched a compliance and risk management software start-up in the IT-GRC market.

He holds a B.S. in Marketing from Southern Illinois University.

Blog: www.compliancefocus.com

Twitter: http://twitter.com/jim_hietala

LinkedIn: http://www.linkedin.com/in/jimhietala

Blogging focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy

Jim can be reached at: jim@compliancefocus.com