What is Mass 201 CMR 17?

In an effort to protect Massachusetts residents from the rising incidence of fraud and identity theft from data loss, the State of Massachusetts has implemented aggressive regulatory requirements to protect personal information. The state now requires mandatory compliance with 201 CMR 17.00 – Standards for the Protection of Personal Information of Residents of the Commonwealth (also known as just 201 CMR 17, or the Massachusetts Privacy Law). Building on California’s landmark security regulation SB-1386, Massachusetts Privacy Law establishes a minimum standard to be met for the protection of Massachusetts resident’s personal information (PI) contained in both paper and electronic records. For the purpose of being compliant with the new Massachusetts data privacy law, PI is defined as a resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to the resident:

• Social Security number and/or a

• driver’s license number or Massachusetts identification card number and/or a

• financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password that would per-mit access to a resident’s financial account and/or

• a biometric indicator

The Massachusetts 201 CMR 17 has set a new level in state security laws by regulating both private and some public sector entities that handle Massachusetts resident’s sensitive data, regardless of where that entity is located. The law is intended to bring entities into alignment with both federal and industry security laws, including the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) enforced by the Federal Trade Commission (FTC) and Payment Card Industry Data Security Standards (PCI-DSS) security standards overseen by the PCI Security Standards Council. Its process and technical controls are aimed at preventing criminal activity from causing data breaches of either paper or electronic records containing PI. The requirement of securing electronic records includes PI on databases, laptops, applications, portable devices, and just about any other system in which electronic PI data can be either in transit or at rest.

Who needs Mass 201 CMR 17?

All persons, corporations, associations, partnerships or other legal entities with systems containing Massachusetts resident’s personal information in transit or at rest are responsible for complying with the 201 CMR 17 regulations by March 1, 2010. However, the regulations also require businesses to complete internal and external security risk assessments prior to the effective date. The regulation applies regardless of whether the entities or the data is either inside or outside state borders, and applies equally to private and public sector organizations.

Penalties for non-compliance

The penalties for non-compliance with 201 CMR 17 are enforced through Massachusetts General Law Title XV: Regulation of Trade, chapter 93A, section 4. Violators may be faced with a civil penalty of $5,000 for each violation (the definition of a violation has not yet been made clear), are required to pay the reasonable costs of investigation and litigation of such violation (including reasonable attorney’s fees), and are subject to additional civil action since 201 CMR 17 creates a baseline standard that allows plaintiffs in civil suits to argue that a business that lost data was negligent. Title XV also requires any data breach be reported to both the Office of Consumer Affairs and Business Regulation (OCABR) and the Attorney General.

What you need to be Mass 201 CMR 17 compliant

The new Massachusetts Privacy Law requires the following criteria be met:

• an internal and external risk assessment of the human, physical, technical environment based on the criteria outlined in 201 CMR 17

• the computer security provisions in the regulation use a risk-based approach that comply to the extent that it is technically feasible, meaning that reasonable means must be used to accomplish a required result if there is a reasonable technology is available

• the results of the internal and external risk assessments must be documented in a Written Comprehensive Information Security Program (WISP)

• the scope of the WISP must be reviewed at least on an annual basis or whenever there is a change in business practices that may impact security controls

The OCABR published the 201 CMR 17 Compliance Checklist as an aid to be used by either organizations themselves or their auditors when conducting their risk assessment. However, additional guidance on how and where to submit risk assessment results is expected from the state prior to the March 2010 deadline.

What Can You, as a Small Business Owner Do?

As a Business Owner, you can do one of two things:

1. Delegate a portion of your staff to conduct a Risk Analysis and Review and draft a WISP.  Before you go down this path you need to ask yourself if you can afford the time commitment of 2 or 3 employees to follow a process which they may not have any experience with; and will the results be accurate and hold up in court should it come to that?
2. You could hire an experienced IT Governance and Risk Assessment firm such as RGW Associates to prepare you in becoming compliant with this new Law.

• PLEASE BE CLEAR – Ignoring this mandate is NOT AN OPTION!!!

Please feel free to contact me with any questions you might have regarding Mass 201 CMR 17 or any of your IT Governance or Risk Assessment needs; or visit us at our web site www.rgwllc.com.

Sebastian DiFelice
Managing Director
RGW Associates LLC
sdifelice@rgwllc.com
(888) 452-8445 x801
direct (617) 237-0543
fax (610) 523-4443
www.rgwllc.com

Advertisement

Tags: IT Governance, IT Risk Assessment, M.G.L c 93H 201 CMR 17.00, Managing IT, Small Business