The Massachusetts Privacy Law (AKA 201 CMR 17.00) is on the horizon with the deadline for compliance is 6 months away. While many states have instituted privacy laws, this one is a game changer and affects companies beyond those geographically located in Massachusetts. Why is that? I'm glad you asked. Here are some things you need to know:
Q: Who does the law apply to?
The law applies to any person or business who owns, licenses, stores or maintains personal information about a resident of the Commonwealth of Massachusetts. Keep in mind, this is not limited to Massachusetts-based companies. Technically, a company based on California that has personal information about a Massachusetts resident must comply.
Q: What is the purpose of the law?
The law establishes minimum standards for safeguarding personal information in both paper and electronic form.
Q: When does the law go into effect?
Organizations must be in full compliance with the law on or before January 1, 2010.
Q: What is “personal information”?
The law defines personal information as a first and last name or a first initial and last name in combination with any of the following:
- Social security number
- Driver’s license number
- State-issued identification card number
- Financial account number
- Credit or debit card number (with our without access code or PIN)
Q: What does this law require?
The law places a number of requirements on every person or organization “covered entities” that owns, licenses, stores or maintains personal information about a resident of the Commonwealth of Massachusetts. To comply with this law, covered entities must:
- Develop, implement, maintain and monitor a comprehensive, written information security program. Such a program must contain administrative, technical and physical safeguards to ensure the confidentiality of personal information.
- Designate one or more employees to maintain the comprehensive information security program.
- Identify and assess foreseeable internal and external risks
- Evaluate and seek to improve the effectiveness of existing safeguards on an ongoing basis including; (1) Performing ongoing employee (including temporary and contract employee) training, (2) Verifying employee compliance and (3) Implementing a means for detecting and preventing security system failures
- Develop security policies
- Impose disciplinary measures for violations of security program rules
- Prevent terminated employees from accessing records containing personal information.
- Take all reasonable steps to verify that any third-party service provider with access to personal information will protect it
- Limit the amount of personal information collection to the greatest extent possible, limiting the time such information is retained and limiting access to that information as possible.
- Identify paper, electronic and other records, computing systems, storage media (incl. laptops and portable devices) used to store personal information.
- Implement restrictions to physical access to personal information records including a written procedure that defines the manner in which physical access is restricted.
- Perform regular monitoring to ensure that the security program is operating in the manner designed.
- Review the scope of security measures at least annually or whenever there is a significant change in business practices.
- Develop an incident response plan.
- Implement reasonably strong user authentication
- Implement access controls to restrict access to personal information
- Encrypt all transmitted records or files containing personal information that will travel across public or wireless networks
- Perform monitoring of systems for unauthorized use of or access to personal information
- Encryption of all personal information stored on laptops or other portable devices
- Provide firewall protection, up-to-date patching and up-to-date anti-malware signatures of all systems containing personal information that are connected to the Internet
- Conduct regular education and training of employees
Q: Wow, that's a long list. Can you summarize all of that?
Sure. Basically organizations need to:
- Perform an assessment to identify internal and external risks.
- Develop a formal, documented information security program based on the results of the risk assessment.
- Document the program via a suite of information security policies.
- Utilized strong authentication methods and strict access controls
- Ensure effective patch and configuration management
- Implement physical access controls
- Incorporate risk assessment into daily operations
- Perform regular internal audits to verify compliance
- Use secure, encrypted communications protocols
- Perform security monitoring and maintain an incident response program
Q: What can be done to comply with this law? What are the next steps?
First, and most importantly, it is critical to perform of an initial compliance/risk assessment. During such a project you would ideally accomplish two simultaneous goals; assess your current security posture to identify any compliance gaps and perform the initial risk assessment dictated by 201 CMR 17.00.
Based on the outcome of the assessment, there are a number of initiatives that will commonly be required:
- Development of information security policies
- Development of an internal audit program
- Performance of periodic security reviews
- Penetration testing & web application security testing
- Development of an incident response plan
- Configuration of technologies to provide encrypted communications protocols
One final thought. Keep in mind that the law specifically states that compliance will factor the size of the business, the resources available, the amount of stored data and the need for confidentiality of both customer and employee information. Because of this, our recommendations to any customer will only be based on the outcome of a risk assessment.
All of that said, if you are a company that "does business" in the Commonwealth of Massachusetts, you should take a hard look at your security posture and your level of compliance with the requirements of this law. Failure to do so could mean failure to comply with the law and that could open you up to legal liability risks, public relations problems and a host of other nastiness that nobody wants.
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment