There is a specific Massachusetts governmental regulation concerning protection of personal information of residents of the Commonwealth. This regulation protects individuals, corporations, partnerships and other entities. It imposes obligations on any company which retains “personal information,” which is defined as the resident’s name plus any one of: social security number; driver’s license number or State-issued identification number; financial account number, or credit or debit card number, with or without security or access code.
Any business that has personal information about a Massachusetts resident, by ownership or by license, must have a “comprehensive security program” that contains “administrative, technical, and physical safeguards that are appropriate” to the size and nature of one’s business and data. There is a long list of specifics which must be contained in the security program.
Additionally, the holder of personal information must have provisions protecting computers, including any wireless system, that conform to an additional long list of specific user controls, including authentication, selection of passwords, restricting and blocking unwanted access, encryption for information over public networks, up-to-date software, and training of employees.
It is axiomatic that cyber security is just not a “financial records” issue. Many companies possessing personal information are already closely monitored by reason of their business, for example health care and financial services. But even the simplest of businesses must comply with Massachusetts law.
One more thing; if your business possess personal information that is going to the EU, there are particularly draconian regulations, with massive government fines, of which you should be aware.