ExoLytic, Inc.

Quality management and project outsourcing

Right people. Right solutions.

201 CMR 17

It’s a new Massachusetts State law entitled, “Standards for The Protection of Personal Information of Residents of the Commonwealth” and the deadline for each company to comply was March 1st 2010.

The law applies to all organizations, “who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.” This includes Human Resources data on employees in addition to customer records, transaction records and other sensitive data.

The new Massachusetts data security rules require every business that stores, maintains, owns, or licenses Personal Information:

To have a program to safeguard Personal Information,

To dispose of Personal Information in specific ways, and

To give specific notification in case of a breach of data security.

In order to be compliant with the new law, a company must take actions such as:

Create and maintain a Written Information Security Plan (WISP) that details all of your potential security vulnerabilities and the remedies you have taken to address them.

Enact a Data Privacy Awareness Policy which applies to all employees who have access to private data.

Employ data security monitoring, antivirus, firewall and encryption on all your servers, PCs, laptops, mobile devices and databases.

Review the policies of all third-parties with whom you share information to ensure that they are also compliant.

If there is a data breach at your business and you are found to have been non-compliant, the consequences and fines can be high.

Ignoring this mandate is

NOT AN OPTION!!!

Print a copy of our brochure

Standard for the Protection of Personal Information of Residents of the Commonwealth

MASSACHUSETTS' 201 CMR 17 DATA PROTECTION ACT

Complying with 201 CMR 17 can be confusing and costly for businesses without comprehensive written security programs in place. If data breaches do occur, businesses may experience the loss of consumers or employees who do not want to do business with a company with an inadequate security program. This can be costly both in terms of loss of revenue, loss of employees and damage to a company's brand. In addition, companies which are not in compliance with the law by March 1, 2010 face penalties.

The new laws apply to all employers of Massachusetts' residents, not just companies processing credit card transactions. Every employer has Personal Information concerning its employees, including employment applications, tax forms, immigration forms, payroll information, benefits forms, and direct deposit authorizations. It also covers certain vendor information and other information that businesses may collect in the course of their operations.

201 CMR 17 requires an employer to do at least the following:

Develop and maintain a comprehensive Written Information Security Program ("WISP") to safeguard protected information. If the person electronically stores or transmits personal information, the WISP must include a security system covering the person’s computers and any portable and/or wireless devices. Safeguards should be appropriate to the size, scope and type of the person’s business, to the person’s available resources, to the amount of stored data and to the need for security and confidentiality of consumer and employee information. They must be consistent with safeguards for the protection of personal information, and information of a similar character, that are set out in any state or federal regulations that apply to the person.

A Written Information Security Plan (WISP) must provide administrative, technical and physical safeguards for personal information under 201 CMR 17. It must address a wide range of matters that include, but are not limited to:

Designation of the individuals who will oversee and maintain the WISP;

Analysis of the reasonably foreseeable risks to the security, confidentiality and integrity of records, in any form, that contain personal information, of the effectiveness of any current safeguards for limiting those risks, and of the need to develop improved safeguards;

Policies and procedures relating to employee training on the importance of the WISP, its specific requirements, the consequences of failure to comply with those requirements, and prevention of access by former employees;

For paper records, provisions for secure storage of materials containing personal information, including restrictions on physical access to such records and, for electronic records, control measures that restrict access and include secure user authentication protocols;

Encryption of personal information that is stored on computers, laptops or other portable devices or is transmitted across public networks or transmitted wirelessly;

Provisions to ensure that any electronic records system that is connected to the internet includes firewall protection and operating system security patches, that security software includes malware protections and virus definitions, and that all these programs are reasonably current as of March 1, 2010 and will be updated on a regular basis thereafter;

Oversight of third-party service providers who have access to personal information, including a process to select and retain service providers that are able to maintain appropriate security measures consistent with 201 CMR 17;

Regular monitoring to ensure that the WISP operates effectively to protect both paper and electronic records, to detect any unauthorized use of or access to personal information, and to identify any areas where upgraded safeguards are needed;

Review of the WISP’s scope at least annually, and whenever there is a material change in business practices that may reasonably implicate the protection of personal information; and

Documentation of responses to any breach of security and of any actions taken thereafter to change practices relating to the protection of personal information.

With new regulations on the rise every year, audit processes change and enforcement changes.

Regulations tend to focus on specific information of risk and control; i.e. HIPAA, MA Law, NV Law, California’s security regulation SB-1386, etc. pushing companies to create systems to address all these regulations as they appear. Most regulations deal with;

Many similar requirements
Governance
Risk assessment
Evaluation of effectiveness
Management of service providers
Documentation

The challenge is to identify requirements specific to a regulation and fold them into a framework. A solution may be to implement ISO 27001

ISO 27001 and ISO 27002 provide an excellent framework for compliance.

ISO 27001 is formally entitled, Information Security Management - Specification with Guidance for Use. Its purpose is to serve as the foundation for third party audits.

ISO 27002 defines an overarching security framework consisting of 133 specific controls organized around 39 control objectives.

This balanced framework serves as the basis for both measuring an organization’s effectiveness in addressing risk and structuring an organization’s overall security program. Because ISO 27002’s requirements are largely a superset of other major regulations, achieving ISO 27002 compliance positions most organizations to be well on their way to meeting the requirements of Sarbanes Oxley, Gramm-Leach-Bliley, HIPAA, and other pertinent regulations.

This approach will fulfill the needs of regulations and contracts because it is a good compliance program that will allow you to adapt to regulations like these and others as they appear.

Downloadable Regulations from Commonwealth of Massachusetts Website:

- 201 CMR 17.00 regulation.

- 201 CMR 17.00 Compliance Checklist.

- Mass. General Law 93I

- Mass. General Law 93H

- Mass. General Law 93A

The information above was prepared for educational purposes only. It should not be relied on as legal advice. Consult with counsel before making any decisions with respect to the issues discussed in this page.