The department of consumer affairs and business regulation shall adopt regulations relative to any person that owns or licenses personal information about a resident of the commonwealth. Such regulations shall be designed to safeguard the personal information of residents of the commonwealth …
Here is a link to the Executive Order signed by Governor Patrick on September 19, 2008.
The Executive Order applies to State agencies; the regulations apply to the private sector.
The regulations are of particular interest. They require private sector entities who keep personal information about individuals to meet “minimum” security standards for paper and electronic records. They apply broadly to “persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts”. They require the creation of a “written information security program” which must be “reasonably consistent with industry standards.” The most minimal requirements of such a program are (to my eye) quite extensive (and burdensome). I think it is an understatement to say that the regulation and Executive Order will attract a great deal of attention and preparation between now and year-end, and will likely spawn a new (or expanded) industry of compliance consultants.
I am a founding partner at the Boston law firm of Gesmer Updegrove LLP. This blog focuses on my practice areas: IP, business and antitrust law, as well as any other topic (legal or otherwise) that strikes my fancy. I've also tried to make the blog (and my scribd.com page, below), a resource on practice in the Massachusetts state and federal courts.