- How Secure is your data?
Let us review what we have covered thus far. It has been a while since we discussed this topic (sorry for the extended period of silence and thank you to everyone who checked in during that time. It was just a busy business schedule, but your concern is appreciated). Thus far, we identified a general need for data security and the need for a comprehensive written privacy protection policy relative to personal information. We then started to review the Massachusetts Regulations regarding data security. In Section 1, we looked at the purpose and scope of the Regulations. We then reviewed the definitions within the Regulations and how the Regulations could affect your business even if you have never set foot in Massachusetts.
This article will examine the obligations companies that own or license covered data must take to safeguard that data. These details are found in Section 3 of the Standards For the Protection of Personal Information of Residents of the Commonwealth. If you would like to see the entire set of Regulations, they are available for a free download at the White Space Resource Center.
201 CMR 17.03, titled “Duty to Protect and Standards for Protecting Personal Information,” mandates “every person” that owns or licenses personal information about a resident of Massachusetts“ develop, implement and maintain” a written, comprehensive information security program. This written data security program must be readily available and contain administrative, technical and physical safeguards that are appropriate for:
(a) the size, scope and type of business;
(b) the resources available to the business maintaining such data;
(c) the amount of data; and
(d) the need for security and confidentiality of both consumer and employee information.
The comprehensive information security program must be consistent with all state and federal laws under which the entity possessing such information is covered. This means that each state’s laws, in addition to Federal laws, regarding data security must be followed. How all of these laws, and the interplay among them, will end up being interpreted by the Courts is still an unknown. Please keep in mind that the laws of a state can apply to your business even if your company is not physically within that state. The Massachusetts regulation covers any business (or individual) that “owns or licenses information about a resident of … Massachusetts.” Theoretically, you could be looking at the need to comply with 51 sets of laws.
Section 2 of this part of the Regulation provides a detailed framework for a compliant, written, comprehensive Information Security Program. I will distill it here, and the entire regulation is available at the White Space Resource Center. Notwithstanding, I suggest that you seek professional assistance in drafting your company’s data security program. Regardless of who drafts your plan, it should contain the following:
a. Identification of one or more key employees who are primarily responsible for the data security plan.
b. Identify the “reasonably foreseeable” threats (internal and external) to the “security, confidentiality and/or integrity” of the data and take steps to limit such risks. These steps can include, but are not limited to:
1. ongoing staff training;
2. employee compliance with the program; and
3. means for detecting and preventing data security system failures.
c. Develop security policies for employees relative to the storage, access and transportation of the personal information. This would also include safeguards when selling, renting or transferring any such data.
d. Impose disciplinary measures for violations of the company’s data security policy.
e. Develop measures to prevent departing employees, whether terminated or voluntarily departing, from accessing protected data.
f. Oversee vendors with access to protected date by:
1. Choosing vendors that comply with these regulations and those of the Federal government.
2. Contractually require vendors to have their own compliant data protection and security programs in place. (NOTE: there is an exception to this mandate. Contracts entered into prior to March 1, 2010 do not need to contain a data security provision. This exception remains in force until March 1, 2012.) (AUTHOR’S NOTE: just to be on the safe side, I would suggest that even if you do have a contract that fits into this exception, that you make sure your vendor has adequate safeguards in place. Again, while it might your vendor, but if they use your customer data improperly, you will be blamed by the customer, even if the government gives you a break – just my two cents – now back to the article already in progress…)
g. Place reasonable restrictions on access to protected data. This can include limiting access to electronic data with passwords and inscription and locking physical records in a secure location.
h. Monitor the data security safeguards you have in place to ensure they are adequately protecting the personal information. Upgrade the systems as required.
i. Conduct reviews of the comprehensive data security program as business requires, but no less than annually to ensure that changes in the business have not compromised the security of the data.
j. If a security breach does occur, you must immediately conduct a post-incident review. In this review, make sure you properly document all corrective action taken, including employee discipline if warranted. Also, document any changes to your comprehensive information security program that come about from lessons learned as a result of the incident.
While this is a lot of information, most of what is mandated is just good business practice. If you have questions or would like to comment on this post, please leave a comment. I welcome the opportunity to help you with your data security compliance needs. In the next part of this series, we will look more closely at electronic data security.
DISCLAIMER: The information presented here is general in nature, does not take your jurisdiction or actual circumstances into account and therefore may not apply to your circumstances or in your jurisdiction. You should not rely on this general information as a substitute for legal advice from your attorney. This is not an attorney-client communication. You should seek individual advice from an attorney of your choosing if you require assistance in any legal or compliance matters
[...] This post was mentioned on Twitter by John Rothstein, John Rothstein. John Rothstein said: Details on Regulations re: data security & protection of personal information. Part 3 of our data security series. http://ow.ly/1J9Zb [...]