In February 2010, Massachusetts raised the bar in security for businesses keeping it's residents’ information, by creating the most comprehensive data protection and privacy law in the United States – 201 C.M.R. 17; also, known as the Standards for the Protection of Personal Information of Residents of the Commonwealth. This regulation issued by the Department of Consumer Affairs requires all businesses that license or own personal information of a Massachusetts resident to comply with the minimum-security standards set forth in the regulation.
Standards for Protecting Personal Information
The Massachusetts Standards require any natural person or entity (excluding the Massachusetts government and any natural person not engaged in commerce) that owns or licenses personal information of a Massachusetts resident to implement a written information security program ("WISP") with appropriate administrative, technical, and physical safeguards.[1] Such safeguards must be consistent with those set forth in state and federal regulations to which a business is subject, including data breach notification laws, HIPAA, and the Gramm-Leach-Bliley Act.
The Massachusetts Standards define "personal information" as "a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account." The Massachusetts Standards exclude from the definition any information lawfully obtained from publicly available information or from government records available to the general public.[2]
The Massachusetts Standards adopt a risk-based approach to information security, meaning that a business should take into account "the particular business'[s] size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security" in implementing its WISP.[3] The regulation does not prescribe a one-size-fits-all approach and allows small businesses that do not store or transfer large amounts of personal information to adopt less stringent requirements in their WISPs.”
[1] 201 Mass. Code Regs. § 17.03(1) (2009).
[2] 201 Mass. Code Regs. § 17.02 (2009).
[3] Commonwealth of Massachusetts Office of Consumer Affairs and Business Regulation, "Frequently Asked Question Regarding 201 CMR 17.00," Nov. 3, 2009, available at http://www.mass.gov/ocabr/docs/idtheft/201cmr17faqs.pdf.
Moving forward to 2017, there continues to be constant attacks against small business data. The need for encryption, web security, blocking malicious ransomware, continues to be at the forefront of business technology needs. There have been a few important changes to the original standard. Below are the differences in the version from 2010, and now.
These are some important differences in the two versions.
- The most recent regulation issued in August of 2009 makes clear that the rule adopts a risk-based approach to information security, consistent with both the enabling legislation and applicable federal law, especially the FTC's
Safeguards Rule. A risk-based approach is one that directs a business to establish a written information security program (WISP) that takes into account the particular business' size, scope of business, amount of resources,
nature and quantity of data collected or stored, and the need for security. It differs from an approach that mandates every component of a program and requires its adoption regardless of size and the nature of the business and the amount of information that requires security. This clarification of the
risk based approach is especially important to those small businesses that do not handle or store large amounts of personal information. - A number of specific provisions required to be included in a business’s written information security program have been removed from the regulation and will be used as a form of guidance only.
- The encryption requirement has been tailored to be technology
neutral and technical feasibility has been applied to all computer security requirements. - The third party vendor requirements have been changed to be consistent with Federal law.
NSK Inc takes this regulation and the many other regulations in effect (HIPPA, Dodd Frank, FISMA, etc.) for our clients security very seriously and we work with our clients to make sure that they continue to stay in compliance with these standards. We have created a complete body of technologies, processes and practices designed to protect our client's networks, computers and data from attacks, damage or any other unauthorized access.
To make it easier to Write your WISP, as the Law requires it MUST be in writing, we have added Massachusetts WISP template to help with your Security Plan.