June 29, 2022

Volume XII, Number 180

Advertisement
Advertisement

June 28, 2022

Subscribe to Latest Legal News and Analysis

June 27, 2022

Subscribe to Latest Legal News and Analysis

Massachusetts Privacy Bill Provides WISP Reminder, Safe Harbor for Punitive Damages

When Massachusetts issued its data security regulations in 2009 (Regulations), it led the way for states on data security. The Regulations became effective 12 years ago, almost to the day, March 1, 2010. The Bay State is now contemplating comprehensive privacy legislation, the Massachusetts Information Privacy and Security Act (MIPSA), similar to what has been enacted in CaliforniaColorado, and Virginia. As we review this legislation, the MIPSA provides an important reminder, even if it is not ultimately enacted.

The MIPSA would provide individuals a private right of action if their personal information is subject to a breach of security under Massachusetts law caused by a failure to implement reasonable cybersecurity controls. Damages could be up to $500 per individual per incident or actual damages, which ever is greater. The CCPA contains a similar provision.

Under the MIPSA, if enacted in its current form and following a similar approach taken in neighboring Connecticut, controllers would be able to avoid punitive damages in such cases provided they:

  • created, maintained, and complied with a written cybersecurity program with administrative, physical, and technical safeguards that conforms to an industry recognized framework and

  • design the program in accordance with the Regulations based on an appropriate scale and scope.

Examples of industry recognized frameworks under MIPSA would include:

  • National Institute of Standards and Technology’s (NIST) special publications 800-171 or 800-53

  • The Center for Internet Security’s “Center for Internet Security Critical Security

The Wall Street Journal reported on Friday that the state legislature’s Joint Committee on Advanced Information Technology passed the MIPSA along with a bipartisan vote, no objections. It now moves to the full legislature.

If you have waited 12 years to develop that perfect written information security program (WISP), this might be the time to apply the finishing touches. If you have opened a new business in or expanded to Massachusetts, or recently began collecting personal information of Massachusetts residents, a WISP is a critical compliance requirement. If the MIPSA is enacted, a WISP could play a significant role in minimizing exposure to your organization should it be sued in connection with a data breach.

Jackson Lewis P.C. © 2022National Law Review, Volume XII, Number 45
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Principal

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and...

973- 538-6890
Advertisement
Advertisement
Advertisement