Previously we looked at the Massachusetts personal information security requirements as it related to all owned personal information. It was, admittedly not a light read, but it is necessary information to have in our knowledge bank. In this article, the last in our series on data protection, we will look at sections four and five of the Massachusetts law, which addresses the specific requirements for electronic data and the implementation dates. As most businesses maintain some form of electronic data, this is a very important topic to know and understand. These details are found in Standards For the Protection of Personal Information of Residents of the Commonwealth, at Sections 4 and 5. If you would like to see the entire set of Regulations, they are available for a free download at the White Space Resource Center.
201 CMR 17.04, titled “Computer System Security Requirements,” mandates “every person that owns or licenses personal information about a resident of [Massachusetts]” and stores or transmits that data electronically, include in its comprehensive information security program the establishment and maintenance of a data security system that covers its computers, including wireless systems. To the extent technically feasible, the comprehensive information security program must contain the following elements:
1. Protocols for user authorization that include:
A. Password protected access;
B. A secure method, such as passwords or biometrics, to limit access to the protected data;
C. Systems to protect the passwords and access maintained in such a way as to not compromise the security of the data;
D. Limitations on the active users who have access to the protected data;
E. A method to block access to any user who has multiple, unsuccessful login attempts.
2. Secure access control measures that:
A. Restrict access to protected data to only those persons who require access to perform their job functions;
B. Assign unique user IDs and passwords, not generated by default within the particular computer system, and that are designed to maintain the integrity of the security of the protected data.
3. Encryption of all data that is transmitted wirelessly or across public networks (like the internet).
4. Methods of monitoring actual or attempted unauthorized use of or access to protected data.
5. Encryption of all personal information stored on laptops or any other portable device (flash drives, discs, external hard drives, etc…).
6. Firewall and operating system protection, designed to maintain the integrity of the system, for all systems holding protected data that are connected to the internet. This should include regular firewall and operating system security patches.
7. Reasonably up-to-date anti-virus and anti-malware software (what that nebulous statement means will end up before a judge, as what is reasonable to a particular business might not be reasonable to the government). The security software must be updated regularly, including relevant security patches.
8. Documented training programs for all employees who will access the computer system containing the protected data. This training must emphasis the importance of protecting personal information.
Businesses must be complaint with the law examined in this series right now. Section 5 of the regulation mandated compliance by March 1, 2010. If your business is not complaint, it is critical that you create a comprehensive information security program. If you need any assistance, please contact us. We can help you develop your comprehensive information security program. While resources, whether in-house or outsourced, must be dedicated to this effort, it necessary to protect your business from a data breach and limit your liability in the event a breach does occur.
Like insurance, we all hate spending the time and money to protect against an event we hope will never happen. However, we all carry insurance. We carry insurance because we know that in the event of an accident or disaster, the cost of being covered is far less than the cost of not being covered.
Please leave your thoughts and comments on this subject. If you have any questions, please feel free to post them here or contact us directly for a no-cost, no-obligation initial consultation. Our job is to help you make sure your business is protected and thriving and we welcome the opportunity to serve you.
DISCLAIMER: The information presented here is general in nature, does not take your jurisdiction or actual circumstances into account and therefore may not apply to your circumstances or in your jurisdiction. You should not rely on this general information as a substitute for legal advice from your attorney. This is not an attorney-client communication. You should seek individual advice from an attorney of your choosing if you require assistance in any legal or compliance matters.
