Massachusetts Data Security Regulations: Your Company May Not Be Located There, But If Your Customers Are, You Need to Comply
As we've discussed in prior posts, newly effective regulations promulgated under Massachusetts’ recent data security law, Mass. Gen. Law ch. 93H, have raised the bar for data security compliance, and they have a long reach. The regulations are national and international in scope, as they apply to all companies – wherever located-- using personal data of Massachusetts residents.
Although the deadline for compliance with the Regulations – March 1, 2010 – has come and gone, many companies – both within Massachusetts, but particularly outside of Massachusetts – are not yet, in fact, compliant. These companies are finding themselves in a position of playing "compliance catch-up." Even companies that were compliant with applicable law prior to the enactment of the Regulations are obligated to review where they stand in light of these new requirements.
In an article just published by the Washington Legal Foundation, we review the requirements of the Massachusetts law and Regulations, including the required written information security program, constraints on third-party providers and vendors, and enforcement mechanisms, among other topics. "The Bay State Raises the Bar on Personal Data Security: Are You in Compliance?," by Jeffrey D. Neuburger and Natalie Newman is available here.