Businesses that receive, maintain, process, or have access to personal information of Massachusetts residents are required to comply with the Massachusetts Security Regulation, 201 CMR 17.00. The Regulation requires business to implement and comply with a comprehensive a Written Information Security Plan or WISP in order to protect certain categories of personal information about employees, customers, prospects, business contacts and other third parties.
A first implementation deadline of March 1, 2010 required all businesses subject to the Regulation to WISPs for their operation. The Regulation contains a second deadline. By March 1, 2012, covered businesses must have updated of all service provider contracts that were entered before March 1, 2010 in order to require these service providers to also comply with the requirements to adopt a WISP in order to protect this personal information. Thus, by March 1, 2012, companies that are subject to the Massachusetts Regulation will have to be fully compliant, both with respect to their own operations, and with respect to their contracts and interaction with their service providers.
Highlights of the Regulation are provided below.
Only certain categories of personal information are covered. The requirement applies only to the protection a person’s first and last name (or first initial and last name) combined with any of the following:
- Social Security number
- Driver’s license number
- State-issued ID card number
- Financial account (such as bank account, insurance account)
- Credit or debit card number
The Regulation requires a business that owns or licenses this protected personal information in paper or electronic form to develop, implement, and maintain a comprehensive written information security program. Companies that fail to implement such a program may be subject to a $5,000 civil penalty for each violation.
The requirements include, among other things:
- Designating one or more employees to maintain the comprehensive information security program;
- Development and implementation of a comprehensive written information security program that contains administrative, technical, and physical safeguards appropriate to the size, scope, and type of business;
- Special security measures for computer systems and wireless systems;
- Secure user authentication and access controls;
- Encryption of all records and files containing personal information that will travel across public networks or are transmitted wirelessly;
- Use of reasonably up-to-date versions of system security agent software that must include malware protection and reasonably up-to-date patches and virus definitions.
- Security monitoring and intrusion detection
- Ongoing monitoring of company’s compliance with the information security program;
- Ongoing employee training.
- Use of reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal information consistent with the Regulations and any applicable federal regulations;
- Written contracts with these service providers;
- Reviewing the scope of the information security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
For a detailed analysis of the Massachusetts Security Regulation 201 CMR 17.00, click here.
- 562-page HIPAA/HITECH Final Rule Published
- White House Unveils Consumer Privacy Bill of Rights
- New Regime for Mobile Apps