There is a good article on Boston.com this morning (Theft-proofing your identity) about the new data protection rules going into place in Massachusetts today.

Here are a few quotes from that article:

Under the rules that take effect Monday, any institution that holds personal data about residents of Massachusetts must create a written policy for protecting the data, and must train employees to follow the rules.

In addition, organizations must encrypt any personal information - scrambling files to conceal their content - when it is transmitted over the Internet or a wireless data network. Data must also be encrypted when it’s stored on portable devices like laptops or thumb drives, to protect against identity theft if the devices are lost or stolen.

On the side of the article is a high level point list:

By March 1, businesses that have such information must:
■ Create a written data security plan that identifies all sensitive information, security risks, and controls such as passwords
■ Designate an employee to be responsible for data security
■ Encrypt such information if it is stored on laptop computers or sent over the Internet
■ Lock up computers or other equipment on which the information is stored
■ Train employees on security procedures
■ Ensure any outside parties that might have access to the information, such as contractors, are in compliance with the regulations
■ Conduct an annual audit to ensure controls remain in place