On the surface, it seems like the law is pretty basic. But nothing in data security can ever be called basic. In actuality, there is much more you need to consider when it comes to understanding the Massachusetts information security law. To help you with this, there are eight technology requirements you need to adhere to:
In this day and age, there is no excuse to store or transmit any confidential data in plain text. It should always be encrypted as directed by this law. Collecting information from customers, clients, etc. over the Internet should be done via SSL and not sent through email.
In order to be in compliance with 201 CMR 17.00, any personal information stored on laptops or other portable devices is required to be encrypted. This helps prevent data leaks from lost or stolen devices and is part of a solid mobile-device management solution.
Any system connected to the Internet is required to have an up-to-date firewall protecting data stored on computers and network drives. It also requires that operating systems remain current with security patches to protect against known vulnerabilities.
Your security solution is required to have malware protection that is updated with patches and virus definitions to protect against threats used to steal or leak confidential data.
Your users need to be trained on the proper use of security systems, and the training needs to cover the importance of protecting confidential and personal information that your company stores.
These protocols need to control user IDs and other identifiers, manage passwords to include the enforcement of strong passwords, and block access to systems storing personal information after multiple unsuccessful attempts.
Not everyone needs to have access to the confidential data you store on your systems. The law requires that you restrict access to confidential data only to users who require it to get their jobs done. You also need to assign unique user names and not rely on vendor-supplied default user names and passwords.
In addition to making sure that confidential data are protected, the law requires that you reasonably monitor who is accessing personal information and when. If there is access outside the norms, you need to look into that to make sure that an account hasn’t been compromised.
Doing business in the Commonwealth of Massachusetts is lucrative, but it requires a business to take security seriously. For smaller businesses that don’t have the teams in place to adhere to these stringent standards, finding the right managed services provider to partner with can help ensure that you follow this law. More important, it can help you keep your customers’ information safe so that they continue to trust you enough to do business with you.