Frequently Asked Question Regarding 201 CMR 17.00 (cont.)

How much employee training do I need to do?

There is no magic formula here. You will need to do enough training to ensure that the employees that will have access to personal information know what their obligations are regarding the protection of that information, as set forth in the regulations.

How do I decide who can have access to records containing personal information?

The regulations require you to limit access to personal information only to those persons who are reasonably required to have access in order to accomplish a legitimate business purpose, or to comply with other state of federal regulations. Whatever is needed for compliance with state or federal laws/regulations is automatically authorized. Otherwise, you should identify your business needs, determine what tasks are reasonably necessary to satisfy those business needs, and identify who must have access to carry out those tasks.

How do I know if I’m limiting in the right way the amount of personal information collected?

Like the previous question the correct approach here involves determining your legitimate business needs, identifying the kind of personal information reasonably needed to perform the tasks required to satisfy those business needs. Here again collection of personal information needed for compliance with state of federal laws/regulations is always permitted.

Will I need to buy new computer equipment or new software?

Your need for new computer equipment will depend on whether your current equipment meets the minimum requirements for running the software that will secure any electronic records containing personal information. The versions of the security and operating system that you currently have must be supported to receive security updates, and your computer equipment must meet the minimum requirements for running the needed software. If not, you will need new software, new hardware, or both.

What is the extent of my “monitoring” obligation?

The level of monitoring necessary to ensure your information security program is providing protection from unauthorized access to, or use of, personal information, and effectively limiting risks will depend largely on the nature of your business, your business practices, and the amount of personal information you are maintaining or storing. It will also depend on the form in which the information is kept and stored. Obviously, information stored as a paper record will demand different monitoring techniques from those applicable to electronically stored records. In the end, the monitoring that you put in place must be such that it is reasonably likely to reveal unauthorized access or use.

What is a security breach?

A security breach occurs when there is an unauthorized acquisition of unencrypted data that can be used to compromise the security, confidentiality, or integrity of personal information and creates a substantial risk of identity theft or fraud. Acquisition or use of encrypted data along with the encryption key would also be considered a security breach.

What constitutes a reportable event?

If a person who is holding information knows of a security breach, or that personal information was acquired by an unauthorized person or used for an unauthorized purpose, then a reportable event has occurred.

When a security breach has occurred, who is a company required to notify?

If a reportable event has occurred, the company is required to notify the Office of Consumer Affairs and Business Regulation (OCABR) and the Attorney General as well as the affected party. The law also requires that when a company reports a breach that it also provide details of the steps that have been taken to prevent a breach from happening again.  Additionally, each employee/consumer whose data has been compromised must be notified.

How will this new law affect businesses in Massachusetts?

These regulations apply to all companies conducting business in Massachusetts, large and small, who compile or maintain records that include personal information. Companies will need to establish and maintain a security program for the protection of personal information. The regulations call on businesses to encrypt data sent over the Internet or saved on laptops or flash drives; encrypt wirelessly transmitted data; and to utilize up-to-date firewall protection that creates an electronic gatekeeper between the data and the outside world and only permits authorized users to access or transmit data, according to preset rules.

What changes will companies need to make?

Many companies may already have most, if not all, of the required measures in place to protect personal information. Some companies may simply need to activate security features in hardware and software that are already in place on their computer systems and networks while other companies that currently conduct no protective maintenance on its data records may incur an incremental cost to enhance its technical oversight.

How will we know which companies are following the rules and which ones are not?

As with most laws, we will discover who is not playing by the rules when a breach occurs and it is investigated. No company is exempt from these requirements and the Attorney General has the enforcement role under the statute.

If a company complies with federal Graham-Leach-Bliley or HIPAA requirements, do they have to comply with these new regulations as well?

Yes. These regulations are not pre-empted because both GLB and HIPAA allow state laws to provide for a higher standard of protection.

How can a company determine that the vendors they work with are complying with the regulations?

The vendor will need to sign a document that says that it has a written, comprehensive information security program that is in compliance with the provisions of the regulations.

When do the regulations become effective?

The regulations become effective on March 1, 2010. Prior to the effective date, a company must complete internal and external security risk assessments and provide training to its employees.

Has the state provided guidelines for a security program?

While each company will need to adopt a plan that complies with the new regulations and considers its specific business operations, the Office of Consumer Affairs and Business Regulation will provide a model plan as a guideline by October 1st.