In the wake of recent data security breaches that continue to affect Massachusetts residents, the state has recently passed new protective regulations to safeguard their personal information, or PI. And frankly, it can’t be happening a moment too soon.
The legislation, known formally as Massachusetts Regulatory Compliance Law 201 CMR 17.00, is intended to protect residents’ PI.
With the deadline for compliance recently extended to March 2010, these regulations set minimum standards for businesses to safeguard PI contained in both paper and electronic records. This law is in addition to existing compliance regulations such as SOX, HIPAA and PCI.
A “breach of security” is defined as an unauthorized acquisition of PI that creates a substantial risk of identity theft or fraud against a resident of Massachusetts.
The critical question, of course, is who needs to comply, and how will compliance be defined?
The first part of the question is relatively simple: Ultimately, the legislation applies to all organizations that own, license, store or maintain PI about a resident of the Commonwealth of Massachusetts.
Under the new law, PI is defined as an individual’s first and last name (or first initial and last name) and one of the following: Social Security number, driver’s license number or state-issued identification card number, or a financial account number, credit card number or debit card number.
Actual compliance, the second part of the question, is a bit more complicated.
To comply with the regulation, organizations must implement a range of security and privacy standards and technologies described in the law.
These boil down to six general requirements:
- Develop, implement and maintain a comprehensive written information security program (WISP) for PI;
- Make sure the WISP is properly staffed and establish monitoring and training to ensure employee compliance;
- Identify and inventory all paper and electronic records to determine if they contain PI which must be secured;
- Restrict collection and access to PI to only those required for legitimate business purposes;
- Encrypt PI stored on laptops and portable devices, including laptops, flash drives, PDAs or information transmitted over wireless or public networks;
- Take reasonable steps to verify that third-party service providers with access to PI have appropriate safeguards in place that meet or exceed the standards.
With these requirements as a backdrop, how does a business actually begin the process of getting started on a program to gain compliance with the new statute?
While not intended to be a specific inventory of action steps, the following list will illustrate the basic effort that companies must undertake.
- Establish a team. It is very important for senior management to participate; they need to be involved with establishing the policies and procedures for the organization.
Typically, this team will also include members of human resources, IT, legal and administrative departments.
- Formulate, then implement, the WISP. This must be extremely comprehensive, including all administrative, technical and physical safeguards.
- Designate a data security coordinator. This person will shoulder primary responsibility for implementing the WISP, as well as training employees to follow properly the plan’s myriad parameters.
In addition, the coordinator should perform regular monitoring and testing of the plan’s safeguards, as well as evaluate third-party service providers for compliance.
- Establish internal risk guidelines. This includes amending employment contracts to require compliance with the plan, developing disciplinary actions to be taken based on the nature of a specific violation, limiting the amount of PI collected as reasonably necessary for the business and more.
- Establish physical risk guidelines. This encompasses prohibiting employees from keeping open files containing PI on their desks when they are not present; securing files and records containing PI at the end of the workday; restricting visitors access to one entry point for each building that PI is stored, and more.
- Establish external risk guidelines. This means that reasonably up-to-date firewall protection and computer operating system software security vulnerability patches are installed on all systems processing PI. Also, all PI stored on laptops or portable devices must be encrypted and all PI records and files transmitted across public or wireless networks must be encrypted.
- Perform gap analysis. Determine specific safeguard areas that require actions for improvement.
- Maintain, monitor and test. This involves distributing copies of the WISP plan to employees, conducting immediate and regular training of employees and reviewing all security measures annually or upon any material change in business practices impacting the integrity of security.
- Notification. Whenever there is an incident that may require notification under M.G.L c.93H, there must be a post-incident review of events and actions taken.
Anyone doubting the need to fully comply with the new statute should consider the penalties. Organizations that do not comply may, in the event of a data breach, be subject to serious fines ($100 to $5,000 per violation, depending on the type), as well as potential lawsuits filed by the Massachusetts Attorney General, businesses or individuals.
Needless to say, the information technology people in your company will be a vital part of the team established to meet the requirements of the new legislation.
Some areas that they can help address are assessing, updating or revising your existing security program; implementing some of your existing compliance procedures; and helping to make strategic investments in newer firewalls, encryption alternatives and other technologies.
Organizations may also need to reach out to various partners such as their legal counsel and/or outside technology consultants to ensure they fully understand the requirements for compliance.
As of this writing, modifications were being considered to the legislation, so it’s important to check the following resources for the latest version:
• Office of Consumer Affairs & Business Regulation
• Massachusetts Society of Certified Public Accountants
• InfoSecurity Analysis.com
Dawn Mortimer, CPA, CITP, is principal and co-founder of KDSA Consulting, a North Andover-based company that is designed to meet the unique technology goals of businesses in a wide variety of industries.