Massachusetts Privacy Bill Provides WISP Reminder, Safe Harbor for Punitive Damages

Joseph Lazzarotti
Jackson Lewis P.C.
Contact
LinkedIn
Facebook
X
Send
Embed

When Massachusetts issued its data security regulations in 2009 (Regulations), it led the way for states on data security. The Regulations became effective 12 years ago, almost to the day, March 1, 2010. The Bay State is now contemplating comprehensive privacy legislation, the Massachusetts Information Privacy and Security Act (MIPSA), similar to what has been enacted in California, Colorado, and Virginia. As we review this legislation, the MIPSA provides an important reminder, even if it is not ultimately enacted.

The MIPSA would provide individuals a private right of action if their personal information is subject to a breach of security under Massachusetts law caused by a failure to implement reasonable cybersecurity controls. Damages could be up to $500 per individual per incident or actual damages, which ever is greater. The CCPA contains a similar provision.

Under the MIPSA, if enacted in its current form and following a similar approach taken in neighboring Connecticut, controllers would be able to avoid punitive damages in such cases provided they:

  • created, maintained, and complied with a written cybersecurity program with administrative, physical, and technical safeguards that conforms to an industry recognized framework and
  • design the program in accordance with the Regulations based on an appropriate scale and scope.

Examples of industry recognized frameworks under MIPSA would include:

  • National Institute of Standards and Technology’s (NIST) special publications 800-171 or 800-53
  • The Center for Internet Security’s “Center for Internet Security Critical Security

The Wall Street Journal reported on Friday that the state legislature’s Joint Committee on Advanced Information Technology passed the MIPSA along with a bipartisan vote, no objections. It now moves to the full legislature.

If you have waited 12 years to develop that perfect written information security program (WISP), this might be the time to apply the finishing touches. If you have opened a new business in or expanded to Massachusetts, or recently began collecting personal information of Massachusetts residents, a WISP is a critical compliance requirement. If the MIPSA is enacted, a WISP could play a significant role in minimizing exposure to your organization should it be sued in connection with a data breach.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jackson Lewis P.C. | Attorney Advertising

Written by:

Jackson Lewis P.C.
Jackson Lewis P.C.
Contact
more
less

Jackson Lewis P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide