When it was passed in 2010, Jones Day called the Standards for the Protection of Personal Information of Residents of the Commonwealth (of Massachusetts) “the most comprehensive data protection and privacy law in the United States.” The law, known as 201 CMR 17.00, was created to protect Commonwealth residents against identity theft and fraud. It requires any companies or persons who store or use personal information about a Massachusetts resident to develop a written, regularly audited plan to protect personal information. This applies to both paper and electronic records.
Massachusetts Information Security Law
On the surface, it seems like the law is pretty basic. But nothing in data security can ever be called basic. In actuality, there is much more you need to consider when it comes to understanding the Massachusetts information security law. To help you with this, there are eight technology requirements you need to adhere to:
In this day and age, there is no excuse to store or transmit any confidential data in plain text. It should always be encrypted as directed by this law. Collecting information from customers, clients, etc. over the Internet should be done via SSL and not sent through email.
2. Secure portable devices
In order to be in compliance with 201 CMR 17.00, any personal information stored on laptops or other portable devices is required to be encrypted. This helps prevent data leaks from lost or stolen devices and is part of a solid mobile-device management solution.
3. Firewall protection
Any system connected to the Internet is required to have an up-to-date firewall protecting data stored on computers and network drives. It also requires that operating systems remain current with security patches to protect against known vulnerabilities.
4. Security software
Your security solution is required to have malware protection that is updated with patches and virus definitions to protect against threats used to steal or leak confidential data.
5. An education program
Your users need to be trained on the proper use of security systems, and the training needs to cover the importance of protecting confidential and personal information that your company stores.
6. Secure user-authentication protocols
These protocols need to control user IDs and other identifiers, manage passwords to include the enforcement of strong passwords, and block access to systems storing personal information after multiple unsuccessful attempts.
7. Restrict access to sensitive data
Not everyone needs to have access to the confidential data you store on your systems. The law requires that you restrict access to confidential data only to users who require it to get their jobs done. You also need to assign unique user names and not rely on vendor-supplied default user names and passwords.
8. Monitor access
In addition to making sure that confidential data are protected, the law requires that you reasonably monitor who is accessing personal information and when. If there is access outside the norms, you need to look into that to make sure that an account hasn’t been compromised.
Doing business in the Commonwealth of Massachusetts is lucrative, but it requires a business to take security seriously. For smaller businesses that don’t have the teams in place to adhere to these stringent standards, finding the right managed services provider to partner with can help ensure that you follow this law. More important, it can help you keep your customers’ information safe so that they continue to trust you enough to do business with you.