Massachusetts

In plain terms. Massachusetts centralizes state IT in the Massachusetts Office of Information Technology and protects residents with one of the country's well-known data-breach laws.

Who it applies to. State agencies and their IT vendors; the breach law also reaches businesses that own or license personal information of Massachusetts residents. Massachusetts participates in StateRAMP.

What it requires. State law establishes the Office of Information Technology for statewide IT governance, and the security-breach statute requires safeguarding personal information and notifying affected residents and regulators after a breach.

Why it matters. Vendors handling Massachusetts residents' personal data must meet the breach law's safeguarding and notification duties — obligations that often flow into contracts.

Citation. Mass. Gen. Laws ch. 7D (Massachusetts Office of Information Technology) and ch. 93H (Security Breaches). Participates in StateRAMP.

In plain terms. Massachusetts sets specific security expectations for vendors through its third-party information-security standard.

Who it applies to. Vendors and service providers that handle state data.

What it requires. The enterprise third-party information-security standard defines the security controls outside parties must meet when they access or hold Commonwealth information; cloud providers are steered toward StateRAMP.

Why it matters. As a third party, you are expected to meet the state's information-security standard, and cloud services should plan for StateRAMP.

Citation. Commonwealth of Massachusetts Enterprise Information Security Standard IS.015 (Third-Party Information Security Standards); StateRAMP participation.