As many of you are aware, the new Massachusetts Standards for the Protection of Personal information (201 CMR 17.00) will hit the books on January 1, 2010. The law establishes protection standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts in both electronic and paper format. So even if you do not run your business in the Commonwealth you are still affected if you keep personal information about a resident of Massachusetts.
Personal information (PI) is defined here.
Here are the 5 things you need to do today to begin the process for compliance:
1. Read the Regulation (http://snipurl.com/ipfwi) and the 201 CMR 17 checklist (http://snipurl.com/201_cmr_checklist)2. Roles and Responsibilities – Assign ownership for the overall security program within your organization. Next, elect a Security Council comprised of senior staff or management that are stakeholders in protecting personal (and other sensitive corporate) information. The Security Council facilitates consensus relative to the risks, impacts and priorities for compliance and will help with achieving (or changing) the security culture for your organization3. Find the Personal Information (PI) – Through interviews with Business Managers, Data Owners and Subject Matter Experts. Additionally, the use of technology such as IdentityFinder can facilitate speedier PI discovery. Once discovered:
- Determine whether this data is still required and needed in the discovered location
- Do you need all the PI data or can you do without (do you still need your old customer’s credit card number)?
- Determine who requires mandatory access to the information and plan for the modification of your access lists to comply
- Ensure other safeguards are in place to protect this information (Physical access, firewalls, strong authentication/passwords, encryption). If not, budget and plan accordingly
4. Review your current Written Information Security Policies, if they exist, and plan for their update to include compliance. If they do not exist, develop a project plan to begin the development process. The larger the organization, the longer this will take for development and approval.5. Determine if your Third-Parties, partners, consultants, etc. have access to PI and begin the process of discovering their protection mechanisms
Compliance doesn’t happen overnight. The sooner your company develops a strategy for 201 CMR 17.00 compliance the better your organization’s chances to meet the January 1, 2010 mandate. These safeguards not only make good business sense, they will soon be the law.