First, the real victims here are the consumers -- not the businesses whose systems are eventually breached (unless they have to disclose the breach, in which case they suffer a loss in reputation and potential fines). Very few states are as progressive as Massachusetts and willing to advocate for consumer rights at this level.
Second, the State of Massachusetts will be unable to proactively enforce this rule -- it simply doesn't have the resources or budget to do so. It will have to prosecute violators that come to its attention because of egregious violations. That means many companies may simply strive to stay under the radar here and evade authorities' attention.
This is very different from the PCI Data Security Standard rules governing protection of credit and debit card data. In the case of cards, the banks and card issuers lose real money when there is a breach at a third-party retailer or processor -- hence they have a very clear and direct motivation to make sure card acceptors, transmitters and processors protect the card data.
1. Strong network segmentation so that PII data is walled off from the rest of the enterprise network and only those people and programs that absolutely must access the PII data are allowed to do so.
2. Data protection technology, including encryption of PII data and sound key management practices.
3. Access controls around PII data.
4. Audits of all access to PII data.