AttorneysEd Center

Massachusetts has enacted some of the most comprehensive state data security laws in the United States. The latest regulations take effect March 1, 2010, and all entities subject to these regulations must be in compliance by that date or risk substantial fines and penalties. As the March deadline looms, companies and their counsel throughout the United States are wrestling with the question of whether and to what extent these laws apply to their workplace—particularly if they do not do business in Massachusetts—because the Massachusetts Attorney General has consistently maintained that enforcement will not have geographic boundaries. This essentially means that if (1) an out-of-state business (2) has personal information of a Massachusetts resident, and (3) there is a breach of security of that information, the business can expect to be held accountable in Massachusetts for failures to comply with applicable Massachusetts laws. Join Heather Egan Sussman, a partner in McDermott Will & Emery LLP, who provides a detailed overview of the Massachusetts data security laws and regulations, discusses how to evaluate the extent to which businesses may be subject to these laws and, if so, suggests how to chart a course toward compliance.