I was chatting with a friend about the new data breach law in Massachusetts which was initially scheduled to be effective in February 2009 but which will not be effective until later.  Lots of commentary on this from various sources (e.g. here, here, and here)   You can find the text of the statute here.  The Massachusetts website [link] contains a slew of helpful looking information.  (Possible concerns about its effect on lawyers here).)

What will be the practical effect of the rules? 

What does it cover?  The law broadly covers the use or storage of the personal information of a Massachusetts resident.  Personal information is defined to include the first and last name (or first initial and last name) along with the person’s social security number, credit card or bank card number, or driver’s license number.  This definition drastically limits the applicability of the rule to e-commerce businesses and other business that come into contact with driver's license, credit card, or bank account information.  Would I place lawyers in this category?  Not typically.  How about social networks?  Not typically.  Most data breach rules should be limited to regulating the security of this type of information.  There's no dispute about this.  I think what makes the law relatively unremarkable is that the types of entities which come into contact with this information probably already comply with the requirements of the law to begin with.  Those that handle credit card information, for example, *should* have some sort of written policy in place.  (In reality, for smaller companies, this probably is a low priority item, and often gets lost in the shuffle ... that is, until trouble strikes.)

What new requirements does it impose?  This is really the critical part of the law and the part that is not black and white.  Massachusetts could have regulated in this area by setting forth specific rules or general guidelines.  Both approaches have their limitations, but Massachusetts chose to promulgate a set of general guidelines against which businesses will be evaluated.  Here’s a key paragraph:

Whether the comprehensive information security program is in compliance with these regulations for the protection of personal information, whether pursuant to section 17.03 or 17.04 hereof, shall be evaluated taking into account (i) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program, (ii) the amount of resources available to such person, (iii) the amount of stored data, and (iv) the need for security and confidentiality of both consumer and employee information.

I’m not really how sure how different the underlying standards are from the PCI (payment card industry) standards (which also take into account volume of sales/transactions) or "industry standards"-based due care requirements.  Both of these are general guidelines which lave a ton of wiggle room.  I guess the law sets forth a general requirement that any business handling the personal information of a Massachusetts resident must formulate and enforce some sort of policy aimed at the protection of this information.   But this is the prudent course for any business which handles this type of information, and particularly any business that operates a website through which such information may be transmitted.

Who gets to enforce the law?  In my read of the law, it didn't clearly set forth a private cause of action for non-compliance.  Additionally, although it creates notice requirements, it didn't create a statutory cause of action for damages in favor of an "injured person" - i.e., a Massachusetts resident whose information was compromised.  This is probably a good thing ultimately, but it drastically limits the utility of this rule for private lawyers representing litigants.  (Granted, the lawyers can still use this rule to make a negligence per se argument (?), but they still have to overcome a fairly robust body of case law which provides that a data breach does not necessarily result in cognizable damages, see e.g., here.)

***

Ultimately, this will be a powerful tool in the arsenal of the Massachusetts equivalent of the FTC.  But it's not entirely clear that this rule was necessary or will be that useful to plaintiff's lawyers dealing with data breach claims.  The downside is that it just adds to the regulatory quagmire that businesses who come into contact with the personal information of Massachusetts residents have to deal with.  

If I were rating the statute I'd give it a thumbs down.