Question 90 - CIPP-US discussion

The Massachusetts Personal Information Security Regulation (201 CMR 17.00) requires that any person or entity that owns or licenses personal information of Massachusetts residents must implement and maintain a comprehensive written information security program that includes administrative, technical, and physical safeguards to protect such information.One of the technical requirements of the regulation is to encrypt all personal information of Massachusetts residents that is stored on laptops or other portable devices, regardless of where the equipment is located12.The regulation defines personal information as a person's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such person: (a) Social Security number; (b) driver's license number or state-issued identification card number; or financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account1.The regulation also requires encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly1.Reference:

Regulation 201 CMR 17.00: Standards for the Protection of Personal Information of MA Residents

Massachusetts Law Raises the Bar for Data Security