According to this link: http://www.leapfile.com/MA-201-CMR-17 , it only applies to the following subset of data:
--snip-- According to the definitions in 201 CMR 17.02, personal information is a Massachusetts resident’s first name or first initial and last name IN COMBINATION with any one of more of the following data related to the person: social security number, driver’s license number or state-issued identification card number, financial account number, credit or debit card number with or without any required security or access code or password that would permit access to financial information. --snip--
This however "and perhaps the rest of the world" is complete FUD - noone outside of US cares about US state laws (unless you have some branch there of course - but then you already know you have a lot more paperwork to do).
The title of this article so broad it implies that if you simply had a contact database (with no sensitive information) containing Mass residents that you'd have to file a security policy and encrypt every piece of information.
On the other hand, I wouldn't want to be a web company based in Massachusetts and this might have more than a small effect on the Boston area's attractiveness to many startups.
It seems silly to state legalities are out of scope when you're talking about a law, even if (or, especially if!) you're not writing for lawyers.
UPDATE: "Massachusetts does not require that written information security programs be filed at this time, just that they exist," according to a second article, http://www.informationweek.com/news/security/government/show... . That is alot better.
17.04: Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information...
Also many online shops allow you to save the info in case you want to reuse it in the future.
Similarly, if you're storing credit card numbers in plaintext in a database, shame on you! That's worse than storing plain-text passwords.
I think the worst parts of this law are the "you have to file with the Massachusetts government" aspects. The technical stuff is basically common-sense data security that everyone should already be doing.