Listen to: "The Massachusetts Data Protection Act: Tightening Up Individual State Data Privacy Laws"
A year after the mad dash to achieve compliance before the May 25, 2018, enforcement deadline for the General Data Protection Regulation (GDPR) has passed, industry marketers reportedly feel generally confident about their organizations’ respective compliance levels.
While consumers report a marked increase in pop-up ads when visiting a company’s website, there have been few egregious complaints. Further, there have been no widespread broadcasts about companies incurring massive fines for non-compliance.
After the GDPR deadline passed, California soon introduced the California Consumer Privacy Act (CCPA), which is the toughest regulation on this side of the Atlantic Ocean.
Still relatively early in their respective enactments, both the GDPR and CCPA have both spurred the question of tighter data privacy laws in states across the U.S.
Several U.S. States Work to Follow the Lead of the GDPR and CCPA to Protect Consumer Data
While there is no overarching regulation across the United States that mimics the GDPR—or even the CCPA—several individual states are working toward developing their own data privacy laws on behalf of their consumer citizens.
California’s CCPA is one of the broadest and far-reaching data privacy acts in the U.S., featuring some key state-specific statutes and several requirements calling for organizations to develop and employ safeguards set to protect California’s residents.
Rhode Island has passed its own Identity Theft Protection Act of 2015, which states that a person or business that collects, stores, processes, acquires, maintains, uses, or licenses personal information regarding a Rhode Island resident must adopt, implement and maintain reasonable security procedures. The requirements leave a great deal open to interpretation, such as the definition of “reasonable.”
The Utah Protection of Personal Information Act (UPPA) features a main provision that states that any business in the state maintaining personal information must develop, deploy and maintain reasonable procedures to protect data collected or maintained in the regular course of business. Similar to Rhode Island’s protection act, Utah’s UPPA leaves a lot of matters somewhat unclear to business owners and consumers alike.
The Commonwealth of Massachusetts Is Taking Data Protection to the Next Level
Massachusetts, along with Nevada, has the toughest state data protection law in the nation. The state’s Standards for the Protection of Personal Information of Residents of the Commonwealth provides that every person or business owning or licensing personal information regarding a resident of Massachusetts is required to develop, implement and maintain a comprehensive information security program, which includes the following:
- Designating personnel to tend to the comprehensive information security program
- Creating a means of detecting and preventing security system failures
- Developing solid security policies for staff relating to the collection, storage, access and transportation of records and personal information outside of the physical business premises
- Devising and imposing disciplinary actions for violations against the information security program
- Protecting personal information from terminated employees by removing access privileges upon termination
- Working with and overseeing service providers, or service organizations, requiring them to follow the client business’s security measures for personal information
- And many others
Further, the Commonwealth of Massachusetts sets forth security requirements for organizations’ computer systems, which must contain the following, at a minimum:
- Secure user authentication protocols
- Secure access control measures
- Encryption of all transmitted records and files
- Reasonable monitoring systems
- Encryption of all personal information stored on laptops and other portable devices
- Reasonably up-to-date firewall protection
- And much more
Massachusetts really has taken its focus on consumer data protection to the next level, especially compared to so many states that provide vague definitions and directives. Compliance may prove more challenging for businesses, but the residents are given full consideration for entrusting their data with Massachusetts’ businesses.
Certain U.S. Federal Regulations Fill in the Gaps Left Unprotected by State Data Privacy Laws
The development of individually designed and implemented state data privacy laws is ideal in protecting the state’s consumers, but many states are well on their way, just by recognizing the need and launching a plan. In the meantime, however, there are certain federal regulations that help stem the tide of potential data breaches and other issues with confidential consumer information.
Following are a few of the key regulations that can help you protect your state residents’ data until your state passes its own laws:
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) for the healthcare industry
- Gramm-Leach-Bliley Act for the financial industry
- New York State Department of Financial Services’ Cybersecurity Law for the insurance and financial services sectors
Even if a state does not have an official data protection act in place, or the existing one is still in progress, these industry-specific regulations can help serve as a guide.
Read about new developments in Colorado, Vermont, and California: States Are Leading Efforts to Improve U.S. Data Privacy.
Do You Need More Information on Your State’s Data Protection Laws?
Do you know just what your state requires of your business when it comes to protecting confidential consumer data in your care? Since some states’ acts contain a lot of gray areas, our team of data privacy experts at I.S. Partners can to help you understand their meaning better, or we can simply update you about the basic consumer protections for which you are responsible.