Massachusetts Data Breach Notification Law Signed

On January 10, 2019, Massachusetts Governor Charlie Baker approved new legislation regarding data breach notification that will significantly impact businesses that own or license personal information about Massachusetts residents. The new data breach notification law introduces new requirements and mandates for notifications in the event of a data breach. According to the new Massachusetts law, titled Chapter 93H of Massachusetts General Law Part I, Title XV:

“(A) breach of security is the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the Commonwealth.”

Among one of the most important facets of the law is the requirement that breach notifications state whether the individual or company maintains a Written Information Security Program or “WISP”. The law states, in part:

“Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards…”

The Impact on Businesses

This means that your company, whether it be one-person, an SMB, or an enterprise, must have a WISP to comply with the law. If your company suffers a security breach and does not have a WISP, the penalties could be severe.

One of the benefits of having a WISP is that it promotes better security awareness among employees. When employees have been trained to comply with WISP, there will be another line of defense against the all-too-common and increasingly expensive scenario of data breach attacks.

Resources to Help You Comply with the Law

Check out the links below to help you develop and implement a WISP policy for your organization and be in compliance with the new law: