This article is an interesting discussion of how Massachusetts has put in place some very strigent rules regarding information security.
At its core, the regulation states that companies, including banks, that handle the personal data of a Massachusetts resident must show they have in place a comprehensive, written information security program with heightened security procedures around how this information is handled....
Another big component of the regulation is around the protection of data in transit and data on portable devices, like laptops, Blackberrys and thumb drives. Companies will be required to encrypt data that is not only stored but also when it is being transmitted over networks or physically moved as when an employees take a laptop home.
I thought the last paragraph I've quoted here is interesting in that it relates directly to Active Directory - Rights Management Services (the product for which I write documentation). It's underscores the importance that information (files of varous types) travel with its security in place (the file remains encrypted in transit through email and to multiple devices), in addition to restricting access to that information on the network (directory security).