Massachusetts has passed an Executive Order No. 504 that goes into effect in 2009, to protect personal data. Here’s an excerpt:

Section 3. All state agencies shall develop, implement and maintain written information security programs governing their collection, use, dissemination, storage, retention and destruction of personal information. The programs shall ensure that agencies collect the minimum quantity of personal information reasonably needed to accomplish the legitimate purpose for which the information is collected; securely store and protect the information against unauthorized access, destruction, use, modification, disclosure or loss; provide access to and disseminate the information only to those persons and entities who reasonably require the information to perform their duties; and destroy the information as soon as it is no longer needed or required to be maintained by state or federal record retention requirements. The security programs shall address, without limitation, administrative, technical and physical safeguards, and shall comply with all federal and state privacy and information security laws and regulations, including but not limited to all applicable rules and regulations issued by the Secretary of State’s Supervisor of Public Records under Chapter 93H.