On this, it was announced by the state of Massachusetts that it will commence a new law, 201 CMR 17.00. For example, the law stated the need of limiting the data collected, and further stated about data encryption and written security policies.
The law would be implemented on any company storing or handling customer data based in Massachusetts. The enforcement of law was pushed back to 2010, when it was meant to be in action from 2009. Like all the previous laws this law also didn’t include level 4 merchants to be enforced by the law.