Massachusetts Privacy Bill Provides WISP Reminder, Safe Harbor for Punitive Damages
When Massachusetts issued its data security regulations in 2009 (Regulations), it led the way for states on data security. The Regulations became effective 12 years ago, almost to the day, March 1, 2010. The Bay State is now contemplating comprehensive privacy legislation, the Massachusetts Information Privacy and Security Act (MIPSA), similar to what has been enacted in California, Colorado, and Virginia. As we review this legislation, the MIPSA provides an important reminder, even if it is not ultimately enacted.
The MIPSA would provide individuals a private right of action if their personal information is subject to a breach of security under Massachusetts law caused by a failure to implement reasonable cybersecurity controls. Damages could be up to $500 per individual per incident or actual damages, which ever is greater. The CCPA contains a similar provision.
Under the MIPSA, if enacted in its current form and following a similar approach taken in neighboring Connecticut, controllers would be able to avoid punitive damages in such cases provided they:
created, maintained, and complied with a written cybersecurity program with administrative, physical, and technical safeguards that conforms to an industry recognized framework and
design the program in accordance with the Regulations based on an appropriate scale and scope.
Examples of industry recognized frameworks under MIPSA would include:
National Institute of Standards and Technology’s (NIST) special publications 800-171 or 800-53
The Center for Internet Security’s “Center for Internet Security Critical Security
The Wall Street Journal reported on Friday that the state legislature’s Joint Committee on Advanced Information Technology passed the MIPSA along with a bipartisan vote, no objections. It now moves to the full legislature.
If you have waited 12 years to develop that perfect written information security program (WISP), this might be the time to apply the finishing touches. If you have opened a new business in or expanded to Massachusetts, or recently began collecting personal information of Massachusetts residents, a WISP is a critical compliance requirement. If the MIPSA is enacted, a WISP could play a significant role in minimizing exposure to your organization should it be sued in connection with a data breach.