Massachusetts has enacted data privacy and data security regulations that will make it eke out California for the most wide ranging state privacy and security laws--laws that are likely to impact the policies, practices, procedures, contracts and training used by companies nationwide. The Massachusetts Office of Consumer Affairs and Business Regulation determined that there was a significant need for set of comprehensive standards that ensure businesses are taking practical steps to safeguard personal information. While many of these practices are probably adopted by most companies in some way, shape or form--now a laundry list of minimum standards will be required. And, since it may be impractical for a company to treat information collected from Massachusetts residents differently than others--many companies across the country will need to look holistically at their data privacy and security programs across the country to make sure that they meet the requirements of Massachusetts standards.

Beginning on January 1, 2009, all businesses that collect personal data from or about Massachusetts residents will need to adopt a comprehensive written security program, conduct internal and external security reviews and complete employee training regarding their programs. While the efficacy of a security program will be determined based on the relative size of a company and the type and amount of data a company maintains, the standards clearly state that a security program needs to contain, at a minimum:

-- Designate one or more employees to maintain the security program.

-- Identify and assess the internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information.

-- Evaluate current safeguards and means for detecting and preventing security system failures.

-- Implement and evaluate ongoing employee training (which must include temporary and contract employees) .

-- Implement and evaluate employee compliance with policies and procedures.

-- Develop security policies that set forth whether and how employees should be allowed to keep, access, and transport records containing personal information outside of business premises.

-- Discipline employees for violating program rules.