You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at

State Consumer Data Security Policy


Data security imageThe lack of a federal Consumer Privacy Bill of Rights means states must pass their own policies to protect their residents from data breaches and mishandling of personal information. Massachusetts' data breach notification law, Chapter 93H, is one of the most comprehensive state data security laws in the United States.

Exemplary Law: Massachusetts' Data Security Law

In August 2007, Massachusetts enacted legislation to set strong data security standards for entities that handle personal information (electronic and paper) on Massachusetts residents. Following the law's passage, the Massachusetts Office of Consumer Affairs and Business Regulation promulgated regulations (201 CMR 17.00) establishing minimum standards that any person, agency, or entity that owns or licenses personal information on Massachusetts residents must meet to safeguard personal information, including:

  • implementing "a comprehensive information security program," appropriate to the size of the business and nature of the personal information at issue, that contains safeguards for the protection of that personal information. Minimum requirements include:
    • employee security training;
    • monitoring of third-party service providers;
    • regular monitoring and risk assessment checks;
    • secure storage;
    • preventing terminated employees from accessing records containing personal information;
    • strong user authentication protocols;
    • reasonable access restrictions and encryption of all data transmitted and data stored on portable devices, among other computer system security requirements; and
    • reviewing the scope of security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.

These specific data security regulations help safeguard state residents' personal information against unauthorized use, access, and disclosure. While other states such as Florida and California require businesses and other entities that own or license personal information to "take reasonable measures" to protect their residents' personal information, Massachusetts' comprehensive standards ensures baseline data security protection.

What's Missing from Massachusetts' Law?

While Massachusetts' data security law is the most comprehensive, other states have passed or are considering strong policies missing from the Massachusetts law:

  • Pending legislation in New York state contains a broader definition of personal information that includes medical history, health insurance information, biometric data, and online login credentials that can be used to permit access to an online account;
  • Nevada law requires compliance with the Payment Card Industry (PCI) Data Security Standard for businesses and entities handling credit card data;
  • Nevada's law also requires that encryption technology be approved by a national standards setting body.

Additional Resources

Pending Legislation logo
Back to State Policy home

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security