Are You Ready For 201 CMR 17.00 – Massachusetts’ New Privacy Law Sets Strict Standards for the Protection of Personal Information
Originally scheduled to be signed into law in January 2009, then May, 2009, the 201 CMR 17.00 - Standards for the Protection of Personal Information of Residents of the Commonwealth has been pushed back until January 1, 2010.
Is this enough time for your company to get your house in order?
The law establishes protection standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts in both electronic and paper format. So even if you do not run your business in the Commonwealth you are still affected if you keep personal information about a resident of Massachusetts.
Personal information is defined as a having a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following…
(a) Social Security number;
(b) driver’s license number or state-issued identification card number; or
(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account
Even though enforcement polices to this law are still being developed, a similar law passed in Nevada would cap damages at $1000 per individual affected for each data breach. Those companies found not to comply with the regulations face unlimited civil penalties.
Some things you need to do:
- Listen to our Podcast and read 201 CMR 17.00 here
- Create and maintain/update a written information security policy (WISP)
- Classify your data, separating into highly confidential, confidential, internal and public. This will help you add the right level of protection without overspending
- Determine your data retention requirements and add it to your WISP Policy. Data you not longer need may be putting you at risk
- Implement good secure authentication and access control practices
- Where feasible, encrypt personal information stored and transferred across a public and especially data transferred over a wireless network
- Provide reasonable monitoring for suspicious activity and unauthorized access
- Build firewall protection around systems that are attached to the Internet
- Install and maintain up-to-date computer protection such as anti-virus software, malware protection, etc.
- Train your employees about computer security, it’s everyone’s responsibility. The weak link in the chain, puts your whole company at risk
Listen to our Podcast for more details on this very subject at www.cppit.com/podcast or download it free from iTunes store by searching on Compliance Process Partners.
The State of Massachusetts has provided a 201 CMR 17.00 Compliance Audit Checklist available at mass.gov. Link is to it from here: http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf
Leave a Reply