If an ecommerce business sells to a citizen of Massachusetts and stores that customer's user data, then it must comply with Massachusetts law regarding data security and privacy of customer data.
201 CMR 17.00 requires a business (located anywhere) which stores and maintains electronic or paper records containing personal information about a resident of the Commonwealth of Massachusetts to maintain a comprehensive, written information security program ("WISP") applicable to those records. There is no small business exemption to this requirement.
Among other things:
- The WISP must include administrative, technical, and physical safeguards for PI protection.
- One or more employees must be designated to maintain and supervise WISP implementation and performance.
- Regular ongoing employee training, and procedures for monitoring employee compliance, must be included in the WISP.
For more information, please refer to the 201 CMR 17.00 Compliance Checklist that the Office of Consumer Affairs and Business Regulation has provided at: http://www.mass.gov/ocabr/docs/idtheft/compliance-checklist.pdf
Also, read the FAQ at: http://www.mass.gov/ocabr/docs/idtheft/201cmr17faqs.pdf
For an in-depth look at the standards, read them at: http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf
If you need to purchase and download written information security program legal forms, click here.