Massachusetts recently passed 17 CMR 201, a new data protection/data breach notification law. After several revisions of the regulation and several delays in the compliance deadline, the rule is currently scheduled to go into effect March 1st of this year.
As of the time of this writing, there is no official proactive auditing process or body for this regulation. Organizations that are required to comply will only be audited if there is an investigation due either to a suspected or known data breach (and even then, an audit is not necessarily going to happen). The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR), which is part of the Secretary of the Commonwealth's office, has built the regulation, but enforcement will fall under the purview of the attorney general's office. The Massachusetts attorney general will be the one to determine whether an organization is in compliance, as well as pursue legal action in the event of non-compliance.
For more information:
- Read more about interpreting 'risk' in the Massachusetts data protection law.
- What are the mobile device encryption requirements under the Mass. data protection law? Learn more.
This was first published in January 2010