Privacy in a mobile world: Massachusetts data privacy law

Process and technology steps to manage compliance in ever-more-complex computing environments

The Massachusetts Data Privacy law, effective as of March 1, 2010, states that all businesses that collect personal data from or about Massachusetts residents will need to adopt a comprehensive written security program. Unlike most state-based data privacy laws, which focus primarily on public disclosure once a breach occurs, the new Massachusetts law prescribes that more stringent protective measures be taken to prevent breaches from occurring in the first place.

Also see The Mass 201CMR17 Survival Guide

The Massachusetts law is more actionable than most data security regulations as it prescribes specific technical measures that must be taken to protect Personally Identifiable Information (PII), hence it forces businesses to become proactive in securing technology. Many of the measures outlined in the bill are actions that companies should already be taking, such as ensuring that the enterprise is adequately protecting PII. While this initiative seems intuitive and straight-forward, it has proven to be challenging for many organizations.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The Massachusetts Data Privacy law, effective as of March 1, 2010, states that all businesses that collect personal data from or about Massachusetts residents will need to adopt a comprehensive written security program. Unlike most state-based data privacy laws, which focus primarily on public disclosure once a breach occurs, the new Massachusetts law prescribes that more stringent protective measures be taken to prevent breaches from occurring in the first place.

Also see The Mass 201CMR17 Survival Guide

The Massachusetts law is more actionable than most data security regulations as it prescribes specific technical measures that must be taken to protect Personally Identifiable Information (PII), hence it forces businesses to become proactive in securing technology. Many of the measures outlined in the bill are actions that companies should already be taking, such as ensuring that the enterprise is adequately protecting PII. While this initiative seems intuitive and straight-forward, it has proven to be challenging for many organizations.

The new regulations require companies to limit the amount of data they collect, maintain a written security policy and keep a detailed inventory of all personal data and where it is stored. The regulations also require any business that handles sensitive personal information on citizens of the Commonwealth of Massachusetts to encrypt that data as it is transmitted via the Internet or stored on external mobile devices such as laptops, USB drives and other mobile storage equipment.

Companies working to ensure they are compliant with the law face many similar challenges, but also numerous issues that vary depending on industry and company size. Many enterprises face the issue of understanding the information flow as it pertains to PII and where within the environment this data is stored, if indeed it is stored within the company's environment and not with a third party organization. In the past, this was more straight-forward as most organizations tended to store data on databases in data centers or, in the worst case, on desktop and laptops. This has become more challenging with the widespread deployment and adoption of mobile based devices, remote and portable storage, in addition to acceleration of cloud and virtualization based technologies and services.

Smaller companies tend to have different challenges than larger enterprises in determining where and how to get started. In many cases these smaller companies lack the resources, both in headcount and financially, to put in place the security plan, policies and procedures needed. In addition, it is difficult for smaller enterprises to put in place the appropriate technology based controls required to ensure they adequately protect the data of concern. Larger companies are more challenged in determining where the information in question is located, how it is accessed and who has access to it. This is often the case as larger companies tend to have a more distributed environment using different technologies ranging from operating systems and hardware platforms to multiple applications collecting and processing data. The core issue tends to be one of understanding information flow and storage in a highly complex environment.