Problem solve Get help with specific problems with your technologies, process and projects.

Who is in charge of the Massachusetts data protection law audit?

Learn more about the process of data protection audits for the Massachusetts data protection law.

Our company is in the process of becoming compliant with the Massachusetts Data protection law. What is the audit process for this law, and is there a regular auditing body?

Massachusetts recently passed 17 CMR 201, a new data protection/data breach notification law. After several revisions of the regulation and several delays in the compliance deadline, the rule is currently scheduled to go into effect March 1st of this year.

As of the time of this writing, there is no official proactive auditing process or body for this regulation. Organizations that are required to comply will only be audited if there is an investigation due either to a suspected or known data breach (and even then, an audit is not necessarily going to happen). The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR), which is part of the Secretary of the Commonwealth's office, has built the regulation, but enforcement will fall under the purview of the attorney general's office. The Massachusetts attorney general will be the one to determine whether an organization is in compliance, as well as pursue legal action in the event of non-compliance.

For more information:

This was last published in January 2010

Dig Deeper on IT security audits and audit frameworks

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.