Massachusetts Data Security Law: Employers Take Note


Please note that the Massachusetts Data Security Regulations take affect on March 1, 2010.  This impacts all employers in the state (whether they are based in the state or employ people there) that collect personal identifying information such as a person’s name and any or all of the following: Social Security Number, drivers license or state ID number, financial account or credit number.  Most employers gather at least a portion of this information during the on-boarding process and certainly need it if they conduct background checks.

In order to comply,  employers must have in place a written information security program (“WISP”) by 3/1/10.

View Press Release from MA Office of Consumer Affairs


According to Massachusetts attorney Michael S. Kraft, not only do organizations based in the state of Massachusetts need to draft a policy to protect personal information, but any business that has any employee or consumer customer located in Massachusetts.

I checked out his blog and also found other helpful advice for how employers can comply with these guidelines.

The new Massachusetts data security regulation goes into effect on Monday, March 1. If you have not yet begun to plan for the deadline, then likely either you are unaware of the requirements, or you are feeling overwhelmed by them. And who would blame you in light of the seemingly endless list of tasks:

  • Develop a written information security plan (WISP);
  • Identify all foreseeable risks in your organization by examining every nook and cranny where data enters, leaves or is stored;
  • Implement security policies and procedures and train your employees
  • Secure all paper and electronic records; provide encryption
  • Obtain written assurances from all vendors that they are compliant
  • Regularly monitor and review to insure compliance

You know that it is vitally important, both because it’s legally required and because it’s the right thing to do to protect your customers.  But where to begin? Do you need professional assistance – a lawyer or specialized IT firm to accomplish this task?  That really depends on the size and nature of your business, the data that requires protection and how much time and energy you are willing to devote to the process.  Many businesses are probably capable of accomplishing a lot on their own. For the most part, the regulation is a straightforward recitation of the tasks needed to comply. But is that the best use of your time? Noted author and business consultant Andy Birolwould caution business owners to judge very carefully those tasks that they choose to do by themselves and those that are properly delegated.


  • This is something everyone should implement.