Massachusetts recently passed 17 CMR 201, a new data protection/data breach notification law. After several revisions of the regulation and several delays in the compliance deadline, the rule is currently scheduled to go into effect March 1st of this year.
As of the time of this writing, there is no official proactive auditing process or body for this regulation. Organizations that are required to comply will only be audited if there is an investigation due either to a suspected or known data breach (and even then, an audit is not necessarily going to happen). The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR), which is part of the Secretary of the Commonwealth's office, has built the regulation, but enforcement will fall under the purview of the attorney general's office. The Massachusetts attorney general will be the one to determine whether an organization is in compliance, as well as pursue legal action in the event of non-compliance.
For more information:
- Read more about interpreting 'risk' in the Massachusetts data protection law.
- What are the mobile device encryption requirements under the Mass. data protection law? Learn more.
Dig Deeper on IT security audits and audit frameworks
Related Q&A from David Mortman
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ... Continue Reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security... Continue Reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.