Unlike Europe and its GDPR (General Data Privacy Regulation), the United States doesn’t have a blanket set of laws to cover data privacy across America. Instead, there are a collection of state and federal laws that preside over particular sectors, industries or geographical locations, and depend greatly upon the different types of personal information or whether you are working with the government.
Whilst the constitution itself doesn’t mention privacy outright, the Fourth Amendment speaks of a person’s right to be secure against unreasonable searches or seizures. This is known to have developed from the concept of privacy and is a solid basis for privacy law development in the US. Back in 2009, in response to a surge of data breaches and global consumer data theft, Massachusetts enacted comprehensive data security legislation which became known as the Massachusetts data privacy law.
Compliance has been required in Massachusetts since March, 2010. In 2019, the Massachusetts privacy act received some updates and encompassed amendments in the face of new challenges in the digital and data world, notably the addition of the WISP requirement (expanded below).
What is the MIPSA?
Massachusetts data protection law defines personal data as:
- First and last names
- Social Security number
- Driver’s license or state-issued identification number
- Financial account number
- Credit or debit card number – this is even without its password, PIN code or CCV.
- Exempt from the laws is personal data that has been retrieved from public records or obtained lawfully from government sources.
A notable amendment in 2019 was the Safeguard Regulations, a set of mandates to explain the specific requirements organizations will need to implement to protect Massachusetts citizens’ personal data. As part of the new amendments added, all entities are required to confirm their compliance by producing a WISP (Written Information Security Program). The Massachusetts privacy act requires that “every person that owns or licenses personal information about a resident of the Commonwealth must develop, implement, and maintain a comprehensive information security program”. Before writing their WISP, an organization should consider their “scale, scope, amount of capital, nature, and quantity of data collected or stored, and the need for security.”
The WISP must incorporate appropriate administrative, technical and physical safeguards in relation to IT systems used by an organization. This will include:
Administrative and physical safeguards, for example:
- Designating an employee or team to oversee the program
- Undertaking a comprehensive risk assessment to identify, evaluate and improve safeguards
- Access and Authorization management.
- Developing policies and procedures relating to employees and data. This should include information regarding disciplinary procedures if an employee is found in violation of the data security program.
- Developing techniques to avoid security failures
Technical Safeguards, for example:
- Technical controls
- Firewall implementations
- Protocols and more.
Who does it apply to?
The extent to which you’ll need to comply or prepare a WISP will depend greatly upon the volume of data you handle. The Massachusetts data privacy act currently addresses employee surveillance.
The MA privacy law compliance is not specific for any sector or industry, and does not discriminate where an organization is located. Any organization that processes, stores, transmits, sells, or handles the information of MA residents is obligated to comply with the data privacy laws of the state.
It is important to bear in mind that if an organization only handles credit card data through a PCI DSS compliant payment method, they do not have custody over the personal information and do not need to concern themselves with compliance (unless of course there is another aspect of their organization handling personal information).
What happens if you don’t comply
Currently, non-compliance with the law means regulators can enforce penalties of up to $5000 per violation, plus the reasonable cost of litigation and prosecution.
Reacting quickly to an incident, being able to show that you have the recommended security controls and procedures in place and have been responsible will go far in reducing penalties and liability.
The future of the Massachusetts Data Privacy Law
On February 2, 2022 a new 65-page draft of the bill known as the Massachusetts Information Privacy and Security Act, or MIPSA, was released and is currently going through the process to be approved. The new version of the bill will introduce new legislation that will influence the Massachusetts data privacy laws significantly:
- Organizations bringing in at least $25 million in gross global annual revenue, process over 100,000 individuals personal data, and data brokers dealing with sensitive information of over 10,000 individuals.
- Expanded rights for Massachusetts residents, including rights to access, transfer, correct, delete personal information, its disclosure and opt-in/opt-out consent rights. Notably, also expanded rights for individuals in data breach litigation.
- Regulating biometric and sensitive data, protecting children, race, religion and more.
- Incorporating anti-discrimination laws into regulations.
- Attorney general enforceable.
Should the proposed MIPSA legislation be accepted and pass as law, the attorney general will be able to enforce penalties and fines, including (i) $7,500 for each violation of the law, (ii) $500 per day for failure to register under the law up to $100,000 per year, (iii) $10,000 for violations of injunctions, and (iv) attorney fees and costs.
Currently, the legislative deadline for Formal Sessions in the Massachusetts Legislature is July 31, 2022, and the current legislative session will end on January 3, 2023.
The best way to prepare for the future stricter Massachusetts Information Security and Privacy act is by becoming compliant with the current requirements. Many organizations are worried about the expense and labor involved in complying with data privacy laws yet the benefits (and avoidance of fines and penalties) may well outweigh the difficulty involved. Using automation and smart mapping between other US data privacy laws will save you time and money and allow your organization to scale up and expand business across any state. Stay up to date with Centraleyes and see how we can automate your compliance to keep you protected now and in the future.