Viewpoint Home Viewpoint Home SAI Global Compliance

Lisa J. Sotto
Hunton & Williams

Ms. Sotto is a partner in the New York City office of Hunton & Williams. She concentrates her practice on privacy and information management issues. She assists clients in identifying, evaluating and managing risks associated with privacy and information security practices of companies and third parties and conducts all phases of privacy and data protection assessments and information security audits. She further advises clients on the Gramm-Leach-Bliley Act, HIPAA, COPPA, CAN-SPAM and other U.S. state and federal privacy requirements (including HR requirements); the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA); and global data protection laws (including those in the EU and Latin America).
Lisa J. Sotto's Recent Entries





Learn more about other SAI Global advisors »

SAI Global Compliance

«
»


Massachusetts Revises Information Security Regulations and Extends Compliance Deadline

by Lisa J. Sotto, Mar 27, 2009

Several states now require businesses that maintain personal information to implement data security measures. Massachusetts has been especially active in this area. Last fall, that state issued regulations requiring any person who holds personal information about Massachusetts residents to develop and implement a comprehensive, written information security program to protect the data. The compliance deadline, originally January 1, 2009, was later extended to May 1, 2009 and has now been pushed back further to January 1, 2010 in consideration of the economic climate.

In addition to extending the compliance deadline, Massachusetts has made substantive changes to the requirements. It will not now be necessary for businesses to obtain written certifications or contractual representations from service providers with access to personal information as to the safeguards they have in place to protect that information. However, other service provider-related requirements remain. So, businesses must take all reasonable steps to:

1) “verify that any third-party service provider with access to personal information has the capacity to protect such personal information” in the manner provided for by the regulations; and
2) “ensure that such third party service provider is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information” under the regulations.

The revised regulations also clarify the encryption requirements for data in transmission, applying the requirements to “all transmitted records and files containing personal information that will travel across public networks” and “all data containing personal information to be transmitted wirelessly.” Previously, data had not been limited to those containing personal information.

The regulations retain other key requirements, including the mandates for organizations that maintain personal information, to:

  • Develop and implement a comprehensive, written information security program;
  • Identify all records, systems and storage media that contain personal information;
  • Conduct an annual review of security measures;
  • Use secure user authentication protocols and secure access control measures; and
  • Adhere to other technical requirements.

    • Have a comment?