If you hold personal information on a Massachusetts resident, you were on the hook as of March 1. The question for security groups is, How do we comply with the myriad state-mandated data security laws without putting an undue burden on the business? And comply you must, because CMR 17.00 raises the stakes in terms of potential penalties. The law will be enforced, quite literally, in the breach, and companies can potentially be fined $5,000 per violation and per record lost. One stolen laptop loaded with a database containing the names and Social Security numbers of 200 Massachusetts residents puts you in the hole for a cool million. The Massachusetts law isn't remarkable in its overall requirements, but it is special in two areas. First, it requires businesses to attest that they have a working data security program in place to protect any personally identifiable information (PII) they've collected from state residents. Companies must maintain a comprehensive written information security program (WISP) that includes "technical, administrative, and physical safeguards" to protect PII. Covered businesses range from neighborhood dry cleaners to Fortune 100 companies, but the law stipulates that the program be appropriate to the size and resources of the business.