The Massachusetts Office of Consumer Affairs and Business Regulations recently adopted new standards affecting any business that retains information regarding a Massachusetts employee or consumer. The regulations took effect January 1, 2009.

Under the regulations, companies must create a comprehensive written information security program designed to safeguard personal information. It must include a number of components, including, but not limited to: a designation of one or more employees to maintain data security, an evaluation of current means to detect and prevent security failures, and specific disciplinary measures for violations of the security protocol.

The regulations also mandate minimum technical requirements for computer systems that electronically store or transmit personal information regarding Massachusetts consumers or employees. For example, a company must adopt a reasonably secure method for assigning and selecting passwords.



NOTE: This summary is being provided solely as a courtesy. It is intended to provide a brief snapshot of legislation potentially affecting end-users. It should not be construed as providing a comprehensive discussion of this or any law. This summary should not be construed in any way as legal advice. Parties receiving this summary are encouraged to consult with legal counsel to ensure that they are complying with all applicable laws affecting end-users in their jurisdictions.