In September 2008, Massachusetts enacted legislation requiring that businesses in the state comply with the state's Data Breach Law. That law mandates that businesses in possession of personal information (including information about employees) notify those affected by a security breach.

Massachusetts has also enacted data protection legislation which applies to personnel records containing employee social security numbers, drivers license numbers or financial account numbers.(201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth).

Since the majority of breaches involve the theft of portable devices and the data encryption significantly neutralizes consumer risk if information is lost or stolen, the regulations issued in September call on businesses to encrypt documents sent over the Internet or saved on laptops or flash drives , encrypt wirelessly transmitted data, and utilize up-to-date firewall protection that creates an electronic gatekeeper between the data and the outside world and only permits authorized users to access or transmit data.

Many businesses will assume that their business insurance policies will insure them against any losses. Unfortunately this may not be the case, since when a business is required, as is the case now, to be compliant to a set of laws and regulations, they must take steps to ensure due care and due diligence in meeting these requirements. Failing to follow or document due care and due diligence is evidence of negligent behavior. In a world of lawsuits, the ability to show documentation that your business is doing what is required can be the difference between the insurance company covering the costs of data breach and getting on with business or having to pay out of pocket because the insurance company has denied coverage.

The regulations were initially set to take effect on January 1, 2009 but have been extended to May 1, 2009 to allow some flexibility to businesses that may be experiencing financial challenges brought on by national and international economic conditions.

The Office of Consumer Affairs and Business Regulation feels that this should be a call to action for all Massachusetts businesses since as too many companies have learned, one lost laptop or a misdirected e-mail containing employees social security numbers can lead to unflattering news stories, breed distrust by employees and expose the company to costly litigation.