Do you operate in Massachusetts? Do you regularly process the personal information of people in the state? If so, you may be aware of a law dating back to 2010 that requires that “every person that owns or licenses personal information about a resident of the Commonwealth must develop, implement, and maintain a comprehensive information security program.”
The law was revised in 2019 to require that any organization reporting a data breach must confirm whether they maintain a “WISP” (written information security program), and so increasingly, regulators are reviewing these programs.
If you do not operate in Massachusetts, you may not need to comply with this law (specifically, 201 CMR 17.00). However, the Massachusetts Office of Consumer Affairs and Business Regulation has compiled a checklist to help small businesses that handle “personal information” develop a WISP. Each item highlights a feature of the law that will require proactive attention for a security program to be considered compliant.
Even if your organization operates outside of Massachusetts, the checklist can guide your information security program. In the absence of any local rulings, courts sometimes look to other states for guidance. Check out the list here to see how your program compares to the requirements laid down in Massachusetts!
How IT Governance USA can help
Our product CyberComply makes compliance with cybersecurity requirements and data privacy laws simple and affordable.Reduce dependence on individuals: put your trust in CyberComply
- CyberComply does all the heavy lifting – wizards, databases and prompts guide you all the way – get started without any expert knowledge
- Meet your cybersecurity compliance objectives fast with five fully integrated modules that help you address compliance requirements
- Centralize your compliance activities to improve control and compliance with regulations and frameworks
- Draw powerful reports to demonstrate measures taken and controls implemented