Alert September 30, 2008

Massachusetts Adopts Regulations Mandating Comprehensive Written Information Security Programs and Specific Computer Security Requirements to Take Effect January 1, 2009

The Massachusetts Office of Consumer Affairs and Business Regulation released new rules requiring all entities that own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts to develop, implement and maintain a comprehensive written information security program and meet specific computer information security requirements.  The requirements have no exemption for entities subject to other regulations, apply to entities outside of Massachusetts who have personal information of Massachusetts residents, and contain far more specific security requirements than exist under other regulations.  The compliance date for the new regulations is January 1, 2009.  A Goodwin Procter Client Alert discussing this development in detail is available here.