201 CMR 17.00 Mass Privacy Law

Standards for the Protection of Personal Information of Residents of the Commonwealth

The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) released the final version of its “Standards for the Protection of Personal Information of Residents of the Commonwealth” (the “Regulation”) establishing standards for how ALL businesses protect and store Massachusetts personal information about a resident of Massachusetts be they based in Massachusetts or not.  201 CMR 17.00 requires, among other things, that businesses encrypt documents sent over the Internet or saved on laptops or flash drives, encrypt wirelessly transmitted data, and deploy up-to-date firewalls to create “an electronic gatekeeper” between the data and the outside world that only allows authorized users to access or transmit data.

All companies that license or store PI must comply with the regulations by March 1, 2010.

What is Personal Information (PI)?

Massachusetts defines Personal Information as a resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to the resident:

• Social Security number
• Driver’s license number or state-issued identification card number
• Financial account number
• Credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account

Does my business need to comply?

All businesses and other legal entities that owns or licenses personal information about a resident of the Commonwealth is required to develop, implement and maintain a comprehensive, information security program applicable to any records containing such personal information. Personal Information will frequently be included in payroll records, employee and candidate HR files, student files, patient data, and certain consumer-related files. Click here to see if your company/organization is in compliance with 201 CMR 17.00.

What if I don’t comply?

A civil penalty of $5,000 may be levied for each violation of M.G.L. 93H 201 CMR 17.00. In addition, under the portion of M.G.L. 93I concerning data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal.

Will my Business Insurance cover this?

As we all understand, insurers will look for loopholes to keep from paying on a policy. Most business owners are unaware of how Information Security lapses can negate their coverage entirely.  This gap in coverage has the ability to put your company out of business.  Failure to follow or document due care and due dilligence is evidence of negligent behavior.  Your ability to show documentation that your business is doing what is required will mean the difference between having insurance cover the costs or a data breach and going bankrupt from having to pay out of pocket costs.

How TBG Can Help

TBG Security consultants have been helping customers comply with State and Federal business and privacy regulations for the past fifteen years. Working as either a full service consultant, or as an adjunct to your in-house business & security team TBG will execute a three phase compliance readiness process to insure that your business meets or exceeds their compliance requirements. We are able to assist your organization in meeting these and other information security-related business regulations, including, but not limited to:

• Create a Comprehensive Information Security Policy
• Performing an audit to determine your organization’s current level of compliance with these new business regulations
• Advising your company on specific steps needed to achieve compliance
• Deploying and supporting security infrastructure to automatically encrypt email messages.
• Perform initial setup and training for software to encrypt your company’s laptops and other mobile devices
• Update and support your primary security infrastructure, including firewalls, VPN access, anti-phishing, and tools to protect against malicious code
 
• Identify and recommend remediation for vulnerabilities present in your internal systems.

For more information on how TBG Security can help your organization reach compliance contact our our (JavaScript must be enabled to view this email address) or call us directly at 877.233.6651 ext 704.