Newly effective regulations promulgated under Massachusetts’ recent data security law, Mass. Gen. Law ch. 93H, have raised the bar for data security compliance, and they have a long reach. The regulations are national and international in scope, as they apply to all companies – wherever located– using personal data of Massachusetts residents.
Although the deadline for compliance with the Regulations – March 1, 2010 – has come and gone, many companies – both within Massachusetts, but particularly outside of Massachusetts – are not yet, in fact, compliant. These companies are finding themselves in a position of playing "compliance catch-up." Even companies that were compliant with applicable law prior to the enactment of the Regulations are obligated to review where they stand in light of these new requirements.
The concern over non-compliance is not limited to Massachusetts regulatory enforcement. Companies are also concerned that private plaintiffs in data security breach-related litigation will allege that the Regulations establish a "standard of care" for the purpose of asserting a negligence claim.
In an article just published by the Washington Legal Foundation, we review the requirements of the Massachusetts law and Regulations, including the required written information security program, constraints on third-party providers and vendors, and enforcement mechanisms, among other topics.
We conclude with a discussion of whether other states, or the federal government, will adopt similarly tough data security laws, and some practical advice for affected companies.