As the federal government gears up to pass a law requiring companies to help prevent data breaches, states are making their own rules.

The latest state to enact a data breach law: Massachusetts.

The law goes into effect on March 1 and will impact more than just the businesses based in the state. It covers all companies that store personal info about Massachusetts residents, regardless of where the company’s located.

Businesses must encrypt sensitive data that’s stored on portable devices or transmitted over public or wireless networks.

The rules also require companies to:

• control end-user access to sensitive data
• protect passwords that allow access to sensitive data, and
• take “reasonable steps” to make sure third-party service providers keep sensitive data secure.

Read the full text of the law here.

The law was met with considerable resistance from business and technology groups, and was delayed for more than a year as the rules were modified. As of now, the March 1 effective date still stands.

Massachusetts will join other states, such as Connecticut and Michigan, that place heavy burdens on companies for protecting employee and customer data. In addition, the federal Personal Data Privacy and Security Act has been gaining steam in Congress.

If passed, the law will penalize companies for leaving data unprotected and create new standards for notifying victims and law enforcement if data has been compromised.

Tags: data breach, Personal Data Privacy and Security Act, state law