State Consumer Data Security Policy
The lack of a federal Consumer Privacy Bill of Rights means states must pass their own policies to protect their residents from data breaches and mishandling of personal information. Massachusetts' data breach notification law, Chapter 93H, is one of the most comprehensive state data security laws in the United States.
Exemplary Law: Massachusetts' Data Security Law
In August 2007, Massachusetts enacted legislation to set strong data security standards for entities that handle personal information (electronic and paper) on Massachusetts residents. Following the law's passage, the Massachusetts Office of Consumer Affairs and Business Regulation promulgated regulations (201 CMR 17.00) establishing minimum standards that any person, agency, or entity that owns or licenses personal information on Massachusetts residents must meet to safeguard personal information, including:
- implementing "a comprehensive information security program," appropriate to the size of the business and nature of the personal information at issue, that contains safeguards for the protection of that personal information. Minimum requirements include:
- employee security training;
- monitoring of third-party service providers;
- regular monitoring and risk assessment checks;
- secure storage;
- preventing terminated employees from accessing records containing personal information;
- strong user authentication protocols;
- reasonable access restrictions and encryption of all data transmitted and data stored on portable devices, among other computer system security requirements; and
- reviewing the scope of security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
These specific data security regulations help safeguard state residents' personal information against unauthorized use, access, and disclosure. While other states such as Florida and California require businesses and other entities that own or license personal information to "take reasonable measures" to protect their residents' personal information, Massachusetts' comprehensive standards ensures baseline data security protection.
What's Missing from Massachusetts' Law?
While Massachusetts' data security law is the most comprehensive, other states have passed or are considering strong policies missing from the Massachusetts law:
- Pending legislation in New York state contains a broader definition of personal information that includes medical history, health insurance information, biometric data, and online login credentials that can be used to permit access to an online account;
- Nevada law requires compliance with the Payment Card Industry (PCI) Data Security Standard for businesses and entities handling credit card data;
- Nevada's law also requires that encryption technology be approved by a national standards setting body.
- EPIC: Consumer Privacy
- EPIC: Consumer Privacy Bill of Rights
- EPIC: Privacy and Consumer Profiling
- EPIC: CPNI (Customer Proprietary Network Information)
- National Conference of State Legislatures (NCSL): Security Breach Notification Laws.
- NCSL: 2015 Security Breach Legislation.
- NCSL: Data Disposal Laws
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
by Ryan Calo, A. Michael Froomkin,