Datalyst Blog
What the Massachusetts Data Privacy Laws Might Look Like in 2022 and Beyond
The Bay State has some of the most comprehensive data privacy laws in place, with additional legislation being debated at the time of this writing. Considering the projections concerning how cybercrime is expected to grow, it only makes sense to pay attention to how these laws take shape and could impact your business.
Let’s begin by reviewing the existing legislation in the Massachusetts Data Privacy Law.
What Does the Massachusetts Data Privacy Law Establish?
Since 2009, Massachusetts has been known for its progress in its data privacy and security laws, particularly in respect to 201 CMR 17. This law has been in place for over a decade, and establishes a few key security and access standards surrounding the data of “a resident of the Commonwealth of Massachusetts.”
Covering both paper and electronic documents such as medical records (EMR), 201 CMR 17 essentially set the standard for consumer data protection by a business entity, being among the first of such laws in the nation directed at protecting cybersecurity. It has since been augmented by House Bill H.4806, which, amongst other things, requires that data breaches must be reported to any affected Massachusetts residents. These laws alone have made the Bay State one of the strictest on cybersecurity in the nation—a very good thing.
Massachusetts’ Attorney General Maura Healey also established the Data Privacy and Security division in 2020 to help investigate non-compliance with these laws. All organizations regardless of industry and size are regulated by the Massachusetts Data Protection Law.
Pending Legislation Could Only Add to These Protections
The Massachusetts Information Privacy Act (MIPA), enforced by a commission of five people (the Massachusetts Information Privacy Commission, or MIPC), would effectively reinforce many of the requirements dictated by the aforementioned policies.
Much like these existing laws, MIPA grants the individual a variety of rights, including:
- The right to access the information that a business holds in regards to them
- The right to correct this data to remedy any errors
- The right to portability, which eliminates vendor lock-in and simplifies backup practices
- The right to have their data with a company deleted
- The right to know what data a company has about them
- The right to limit how their personal information can be disclosed
On top of all this, MIPA also intends to create various obligations to those businesses that it applies to—any entity that conducts business and processes personal information in Massachusetts that either earns annual revenue of at least $10 million through at least 300 transactions, or processes/stores the personal information of 10,000 unique individuals within a calendar year. These obligations would include a duty to protect personal information, a duty to refrain from abusing or misusing an individual’s data in a detrimental or offensive way, and a duty to keep this data confidential (with certain established exceptions).
MIPA would also require these entities to provide notice of what data will be collected and/or processed at all points of the professional relationship.
Legislation Like This Only Becomes More Crucial as Time Passes
Unfortunately, laws establishing baselines for cybersecurity are likely to only become more important to help reduce the efficacy of cyberattacks. 2021 saw new heights in terms of average data breach costs, with the average total cost reaching an unprecedented $4.24 million. Phishing attacks were part of 36 percent of data breaches, up 11 percent from the year prior.
Ransomware had a banner year, particularly two-pronged double extortion attacks. As compared to a mere 8.7 percent of attacks involving a threat to leak data in 2020, 81 percent did so in 2021. Plus, the cost of remediating ransomware attacks more than doubled. Overall costs launched up from $761,103 in 2020 to $1.85 million in 2021.
In fact, the Massachusetts medical and transportation industries remain targets.
With figures like these, it’s no wonder that the state is putting in some more effort to try and get businesses to do what needs to be done. Regardless of whether or not it passes, MIPA needs to be considered the benchmark for any similar legislation moving forward.
Datalyst Can Help Businesses Protect Themselves
One of our specialties is compliance, particularly to rules like 201 CMR 17.00 and H.4806… and, should it pass, MIPA. We’re here to help businesses like yours ensure that they aren’t going to get tripped up by any data protection litigation.
This is particularly true, now that we’ve partnered with Cynet. Through this partnership, we can help you to automate your digital protections, reducing the number of breaches you’ll potentially need to deal with and more accurately determining where your cybersecurity needs the most attention to optimize it.
In addition to this, we offer a comprehensive suite of cybersecurity services for businesses to take advantage of, along with those to help you recover should something slip in.
Don’t wait another second to find out what your business needs to do in order to remain secure against the ever-elevating threats out there today… particularly when there are so many consequences on the line. Give our team a call today at (774) 213-9701 to learn more about what we can do for you.
Comments