This combination of various state and federal laws can sometimes present companies doing business in the US with a complex maze of requirements, restrictions, and obligations related to their collection, handling, and sharing of personal information.  The answers to even basic questions like “what is personal information” can shift depending on the specific statutory scheme. 

No two entities’ privacy or cybersecurity compliance efforts will look the same.  However, there are a number of common elements that all companies should have in a compliance program.  For example, a comprehensive information security program, such as what is required in Massachusetts, should include the following:

• the designation of one or more employees to maintain the program;
• identification and assessment of any reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing personal information;
• evaluations for improving the effectiveness of safeguards;
• ongoing employee training to ensure employee compliance with policies and procedures;
• means for detecting and preventing security systems failures;
• security policies for employees relating to the storage, access, and transportation of personal information, and disciplinary measures for violating the policies;
• restrictions to prevent terminated employees from accessing records containing personal information;
• oversight of service providers by (i) taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures consistent with the regulations; and (ii) requiring such third parties to implement and maintain such appropriate security measures by contract;
• restrictions on physical access to personal information; and
• regular monitoring, reviewing, and documentation of the security measures and responsive actions taken in connection with any breach of security.¹

On the privacy side, a compliance program will have many similar components that ensure the company understands and has appropriate controls in place related to (a) where it collects or acquires personal data, (b) how it uses or shares personal data, (c) which laws regarding the collection, use, or sharing of personal data apply, and (d) how and when it deletes any personal data it has collected.

¹ 201 Mass. Code Regs. 17.