The significant new requirement is mandatory encryption. If an entity electronically stores or transmits information on Massachusetts residents, encryption of personal information (defined as name combined with either Social Security, driver's license or financial account number) is required when transferred in a wireless environment or when stored on laptops or other portable devices. While many financial institutions have comprehensive encryption programs, this requirement will extend the protection not only to customer information but to employee information as well.
In addition the regulation reinforces the requirement to take all reasonable steps to ensure third-party vendors are verified and monitored to ensure they comply. [The Santa Fe Group, through the multi-industry-based Shared Assessments Program, offers an industry-standard control-assessment approach for use by financial institutions and third-party providers that is being updated to meet these new requirements. The materials are available at shareassessments.org.]