«
»

201 CMR 17.00 – So, it’s here, what do I do now?

In less than 30 days the most broadly sweeping data security and privacy legislation will become law in Massachusetts. If yours is like most small/medium (and even some large) non financial company the chances that any constructive time was spent discussing and preparing for this moment are slim and none.

Come March 1st, 2010 it will be illegal to operate ANY company, regardless of size, without some sort of Written Information Security Plan (better known as a WISP – ah yes, the government does love its acronyms!). Now does this mean that the black helicopter are going to swoop down on your hardware store or landscape business or diner or barber shop on March 2nd if you do not have a WISP in place? Hardly; but that does not mean that this piece of legislation can simply be ignored either. You need to sit down and plan this out and then implement what you have put down on paper. What follows are the major points that MUST be covered by any WISP. Please, do yourself a favor and get this done, you don’t want to be the test case that this legislation cuts its teeth on…do you?

First, let’s all be clear here – this legislation pertains to EVERYONE. As demonstrated by the language of Section 17.01 Purpose and Scope paragraph 2, entitled Scope. It reads as follows:

  • “The provisions of this regulation apply to all persons that own, license, store or maintain personal information about a resident of the Commonwealth.”


Now that we have that straight, let’s get into the “weeds”.

The objective of a Written Information Security Plan (WISP) should be to establish and create effective administrative, technical and physical safeguards for the protection of personal information of Massachusetts residence; and to comply with obligations under 201 CMR 17.00. The WISP should set forth your procedure for evaluating your electronic and physical methods of record keeping and security around those records.

**YES, YOU HEARD CORRECTLY – this law is not JUST for electronic data, it pertains just as stringently to “physical” data as well; this includes paper records too!

  • Your WISP should insure security and confidentiality of personal information

  • Your WISP should protect against any anticipated threats or hazards to the security of that information

  • Your WISP should protect against unauthorized access or use of such information that could lead to identity theft


How do you do this? Here are some major points to consider:

Appoint a designated “Security Team”. A minimum of two people should be selected and given the title of Data Security Coordinator. Their job will be:

  • to implement the WISP

  • to train employees

  • to regularly test the safeguards that have been put in place

  • to evaluate, on an ongoing basis, the ability of any 3rd party service provider and make assurances that they are compliant with this law

  • Reviewing the scope of the security measures in the WISP at least annually

  • Conducting an annual training session for all owners, managers, employees and independent contractors, including temporary and contract employees who have access to personal information on the elements of the WISP. All attendees at such training sessions are required to certify their attendance at the training, and their familiarity with the firm’s requirements for ensuring the protection of personal information.


Here are some things to keep in mind while creating your WISP (in no particular order):

  • Copier security

  • Data encryption (both at rest and in transit)* – the law has VERY specific guidelines for this

  • Password hardening and expiration

  • Security of physical data and its location (including access to said data)

  • Limit the amount of data collected on any given person to the absolute minimum

  • Identify risks to the security confidentiality and integrity of the information that you hold


Please bear in mind that this is not by any means a complete list. Look on it as a good solid starting point for your WISP. Also remember that if it’s in the WISP the burden of proof to show that all your security policies were carried out to their fullest will be on you should you ever be brought to defend yourself against a personal data loss/breach case. So while being thorough, please remember to keep it simple too. Don’t put things in there just because they sound good. If you can’t do it, don’t put it in your WISP!

One last point to drive this all home; the penalties if you are ever involved in a data breach is $5,000.00 per incident (interpreted as per record/person). That’s not chicken feed!

Good luck and feel free to contact RGW Associates LLC. We are able to assist you with all your GRC needs.

Advertisement

Tags: , , , ,

This entry was posted on February 2, 2010 at 11:39 am and is filed under IT Governance, IT Risk Assessment, Managing IT, Small Business, Vulnerability Management. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.