201 CMR 17.04, titled “Computer System Security Requirements,” mandates “every person that owns or licenses personal information about a resident of [Massachusetts]” and stores or transmits that data electronically, include in its comprehensive information security program the establishment and maintenance of a data security system that covers its computers, including wireless systems.  To the extent technically feasible, the comprehensive information security program must contain the following elements:

1.  Protocols for user authorization that include:

A.  Password protected access;

B.  A secure method, such as passwords or biometrics, to limit access to the protected data;

C.  Systems to protect the passwords and access maintained in such a way as to not compromise the security of the data;

D.  Limitations on the active users who have access to the protected data;

E.  A method to block access to any user who has multiple, unsuccessful login attempts.

2.  Secure access control measures that:

A.  Restrict access to protected data to only those persons who require access to perform their job functions;

B.  Assign unique user IDs and passwords, not generated by default within the particular computer system, and that are designed to maintain the integrity of the security of the protected data.

3.  Encryption of all data that is transmitted wirelessly or across public networks (like the internet).

4.  Methods of monitoring actual or attempted unauthorized use of or access to protected data.

5.  Encryption of all personal information stored on laptops or any other portable device (flash drives, discs, external hard drives, etc…).

6.  Firewall and operating system protection, designed to maintain the integrity of the system, for all systems holding protected data that are connected to the internet.  This should include regular firewall and operating system security patches.

7.  Reasonably up-to-date anti-virus and anti-malware software (what that nebulous statement means will end up before a judge, as what is reasonable to a particular business might not be reasonable to the government).  The security software must be updated regularly, including relevant security patches.

8.  Documented training programs for all employees who will access the computer system containing the protected data.  This training must emphasis the importance of protecting personal information.

Businesses must be complaint with the law examined in this series right now.  Section 5 of the regulation mandated compliance by March 1, 2010.  If your business is not complaint, it is critical that you create a comprehensive information security program.  If you need any assistance, please contact us.  We can help you develop your comprehensive information security program.  While resources, whether in-house or outsourced, must be dedicated to this effort, it necessary to protect your business from a data breach and limit your liability in the event a breach does occur.

Like insurance, we all hate spending the time and money to protect against an event we hope will never happen.  However, we all carry insurance.  We carry insurance because we know that in the event of an accident or disaster, the cost of being covered is far less than the cost of not being covered.

Please leave your thoughts and comments on this subject.  If you have any questions, please feel free to post them here or contact us directly for a no-cost, no-obligation initial consultation.  Our job is to help you make sure your business is protected and thriving and we welcome the opportunity to serve you.

DISCLAIMER:  The information presented here is general in nature, does not take your jurisdiction or actual circumstances into account and therefore may not apply to your circumstances or in your jurisdiction.  You should not rely on this general information as a substitute for legal advice from your attorney.  This is not an attorney-client communication.  You should seek individual advice from an attorney of your choosing if you require assistance in any legal or compliance matters.

Answer:  They all use personal data in one way or another.

The subject of protecting the almost limitless amount of data about people that is out there in the world’s databases has become a concern to those occupying State Houses across the country and throughout the halls of Washington, DC.  Because we all deal with data on a daily basis, the topic of data security compliance requires particular attention in order to protect your customers, your business’s reputation and avoid hefty fines and penalties.

Recently, apparently brought about by the challenging (read: disastrous) roll-out of Google Buzz, outgoing Federal Trade Commission (FTC) Commissioner Pamela Jones Harbour criticized technology companies for their  ’[t]hrow it up against the wall and see if it sticks” approach to data security.  Of particular concern to Commissioner Harbour was a comment by Google Chief Executive Eric Schmidt, who during an interview with CNBC reportedly stated, “[I]f you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”  I can only imagine that upon learning of this comment by Mr. Schmidt, Google’s Chief Communications Officer fell out of their chair and wept openly.  While Ms. Harbour made it clear her comments were her own and not that of the FTC, the fact that it was the topic of discussion at such a high level demonstrates that the powers that be are concerned.

Technological leaps in the capability to capture consumer data, the capacity to store and analyze this data and the ease with which we can manipulate and transmit this data has resulted in a reduction of the level of privacy we can expect.  Consider the data that Amazon.com obtains on an individual with the sale of one book.  They know the buyer’s name, address, credit card information, and some buying behavior information, all with one transaction.  Now consider the information obtained when walking into your local bookstore, paying cash for the same book and walking out.  The “brick and mortar” seller makes the same sale, but gets no personal information.  Thus, many of these privacy issues are attributable to consumer’s online behavior.  Additionally, blogs, Tweets and other social media have eroded, for better or worse, the line between information that is private and that which is public.  In this context, Mr. Schmidt’s comment is valid.

Of immediate concern to those of us working with data is a regulation passed by the Commonwealth of Massachusetts.  This new regulation, (201 CMR 17.00, et. seq.) implemented through the State’s Consumer Protection Law (Massachusetts General Law, Chapter 93H) is generally acknowledged to be the strictest in the nation (at least so far).  Copies of the laws and regulations are available for download at the White Space Resource Center.  These new regulations, which went into effect on March 1, 2010, mandate that all businesses that collect, handle or own certain information on Massachusetts residents institute and make available for inspection, a comprehensive written information security program.

Before you think, “Heck, my business is in not in Massachusetts, I don’t care what they say in Beantown,” hold on a minute.  The law does not care where your business is.  If you possess personal information on any Massachusetts residents, you are legally required to comply with the data security law.  And that is not necessarily a bad thing.  The better we secure our data, the more trust our customers will have in us.  So this is an opportunity to help secure your data and build trust among your customers.

Now that we know that there is a growing concern among state and federal regulators regarding data security, and that we should have a comprehensive data security policy in place, we must take the next step and create a policy that is in compliance with the law.  As the Massachusetts law provides a clear road map for compliance, in the next post we will examine the regulation in greater detail.  Specifically, we will look at the regulation point by point and discuss creating a compliant comprehensive written information security program.

Should you require any assistance in this matter, please do not hesitate to contact me.  If you have any thoughts on this subject, please leave a comment.  The more we share, the smarter we all become.