DON'T WAIT ANY LONGER. MARCH 1, 2010 WILL BE HERE BEFORE YOU KNOW IT!
Do you have all the information you may need to become compliant with the new Massachusetts Regulation 201 CMR 17.00?
This regulation is inherent to Massachusetts General Law 93H (MGL 93H). This law was written to define the security breaches and regulations for safeguarding the personal information of any Commonwealth of Massachusetts resident. This regulation implements the provisions of the law and describes what you need to have in place in your company in order to be compliant.
Why was 93H created? Why 201 CMR 17.00?
The Department of Consumer Affairs and Business Regluations issued this law and these regulations in response to the following data breaches:
- TJ Max (TJX ), January 17, 2007: Affected about 100 million account numbers. They were hacked several different ways - through wireless connections and kiosks
- Hannaford Supermarkets, between Dec. 7, 2007 and Mar 10, 2008: More than 4 million card numbers were exposed, and by the time Hannaford publicly announced the breach, on March 17, 2008, about 1,800 fraudulent charges had been made.
In response, M.G.L. Chapter 93H was enacted in November, 2007. Within the first 10 months after enactment of M.G.L. Chapter 93H, the office of Consumer Affairs and Business Regulation received 318 notifications of security breaches.
- Other Security Threats: Malware, viruses.
- 10 involved data that was encrypted
- 69 involved data that was password protected
- Total MA residents affected was 625,365
- 60% were due to stolen laptops or hard-drives and 40% were employee error or sloppy internal handling.
- 75% were in the financial services sector.
Massachusetts then took the lead in passing a new regulation - 201 CMR 17.00 - that required companies to implement a comprehensive data security plan that incuded encryption of all computer systems with personal information of a Massachusetts resident.
What Does This Mean to Your Business?
| It means that the Commonwealth of Massachusetts is setting minimum standards for the protection of personal information, whether that information is stored in electronic or paper format. It means that if your company owns, licenses, stores or maintains personal information about a Massachusetts resident You MUST take steps to comply with this new regulation.|
What is Personal Information?
| According to 201 CRM 17.00, personal information is defined as the First Name or First Initial, Last Name and any one or more of the following information:|
If you are a business located in Massachusetts or you have employees who reside in Massachusetts and you have copies of driver's licenses, employment applications, personnel files or payroll information on those employees, you MUST take steps to comply.
- Social Security Number Credit Card or Debit Card Number
- State ID Card Bank or Financial Account Number Drivers
- License Number
- If you accept credit cards, you have the imprint of the card or the data from the magnetic strip. This information falls in the above catagory. You MUST take steps to comply.
What Do You Need To Do?
Establish and Maintain a security program to all who have access to personal information with the following Elements:
Computer System Security Requirements
- Control of user IDs and passwords
- Secure method of assigning and selecting passwords
- Assign unique identifications plus passwords which are not default passwords
- Block access after multiple unsuccessful attempts to computers and servers holding the personal information
- Restrict access to inactive accounts
- Restrict access to files, to those that need acces to perform their job duties
Transmission of personal information
- Encryption of all transmitted rocords and files containing personal information that travels across public networks
- Encryption of all wireless networks
Encryption of portable devices
- Personal information stored on laptops and other portable devices must be encrypted
- Make sure all computer and servers that hold personal information stay up to date on:
- Operating system patches
- Firewall software
- Antivirus software set to receive most current updates on a regular basis
- Antivirus software must include malware protection
Training and Monitoring
- Education and training of employees on the proper use of the computer security system and the importance of personal information security
- Reasonable monitoring of systems for unauthorized use or access to personal information
Written Information Security Program (WISP)
- Dsignate 1 or more persons to maintain the program
- Identify risks and evaluate safegaurds
- Develop security posicies for employees that work outside the office
- Impose disciplinary measures for program violations
- Prevent terminated employees from accessing personal information
- Make sure that third-party service providers have an information Security program that is compliant
- Limit the amount of personal information collected, the time it is retained and access to it
- Identify system used to store personal information
- Restrict physical access to records
- Regularly monitor the program once it is in place
- Review the scope of security measures at least annually or when there is a change in business practices
- Document responsive actions taken in a security breach incident