Implementation of the Massachusetts data security regulations this week will impose a broad range of administrative, physical, and technical security requirements upon enterprises operating in the Commonwealth. Among the myriad obligations contained in the regulations are several potential pitfalls that may prove particularly challenging for covered organizations. Adopting appropriate policies and procedures for the encryption of email (as well as similar messaging technologies) and portable devices may cause upheaval in common business practices, including those involving communication with customers and business partners. In addition, obligations to vet and monitor the security practices of service providers may result in difficult decisions about how the share highly confidential information that could compromise the very safeguards in question.
Effective today, March 1, 2010, Massachusetts’ information security regulations shall require all enterprises collecting personal information from Commonwealth residents to implement a comprehensive, documented information security program that includes administrative, physical, and technical safeguards. The regulations go on to specify a wide range of detailed obligations that must be satisfied. As a result, the regulations may constitute a substantial change in direction for information security law and practice throughout the United States.