What is the MIPSA? And what the new Massachusetts Information Privacy and Security Act means for business
The Commonwealth of Massachusetts may soon approve a data privacy bill called the Massachusetts Information Privacy and Security Act, which will make the state a national leader in regulation of data privacy and security. There are extensive fines and penalties for non-compliance, and the ruling will allow individuals to sue organizations for data breaches.
Who does MIPSA apply to?
MIPSA is neither sector-specific nor discriminates based on where an organization is located. It is applicable to any organization that stores, processes, transmits, sells, or handles Massachusetts citizens’ personal data. If an organization earns more than $25 million in gross global annual revenues, processes personal information of at least 100,000 individuals, or collects and sells sensitive or personal information of at least 10,000 individuals, MIPSA is applicable.
Consequences of non-compliance
If the proposed legislation is accepted and the law is passed, the attorney general will be able to enforce penalties and fines to the tune of $7,500 for each violation of the law, $500 per day for failure to register under the law (up to $100,000 per year), and $10,000 for violations of injunctions, plus attorney fees and costs.
MIPSA will require entities to create a comprehensive data governance plan going far beyond traditional security measures and potential breach notifications. While the full scope of the legislation is fairly comprehensive, below are the key business implications:
- Entities can avoid punitive damages if they create, compile, and maintain a written cybersecurity program with an administrator, have physical security and surveillance in place, and demonstrate deployment of technical safeguards with industry-standard frameworks.
- Entities will be required to undertake and document regular risk assessments if the data processing involves sensitive information, such as the sale of personal information, or there is a systematic analysis of personal data, such as first names and last names, gender, biometric and racial information, Social Security numbers, driver’s license or state-issued ID, financial account number, credit or debit card number, etc.
- The assessments must lead to the implementation of sufficient security controls and processes to mitigate identified risks.
- Entities will be required to take appropriate steps for ensuring third-party partners, suppliers, or vendors with whom they share data, uphold the same high security standards and practices.
The MIPSA compliance process may seem overwhelming at first, but the benefits far outweigh the costs and difficulties involved. If your business doesn’t have the required expertise, knowledge, or understanding of the regulation, partner with an experienced cybersecurity/privacy provider to hold your hand and walk you through the process. Following MIPSA will increase accountability by helping to develop an ongoing process of proactive monitoring for vulnerabilities, threat detection and response to keep cybersecurity risks in check.