Massachusetts now has arguably the most sweeping data security regulations in the country. They require action by virtually all Massachusetts businesses, and many businesses outside Massachusetts. Legal and IT professionals are quickly coming to realize the wide-ranging changes the regulations demand in the way sensitive “personal information” is treated.

Among the more controversial provisions, affected businesses must now:

• encrypt any personal information transmitted over the internet
• encrypt any personal information on a laptop or mobile device (such as a Blackberry)
• require third-party service providers to treat personal information in accordance with the new regulations
• physically lock up any records (paper or electronic) containing personal information

The deadline for most of the new regulatory requirements is May 1, 2009. For many, achieving compliance by this date will be challenging. For some, it may prove impossible. Getting started now is the best way of attacking it.

Resources