Contact Us!

    Full Name (Required)

    Telephone No. (Required)

    Email Address (Required)

    Areas of Interest (Required)


    Subject

    Message

    Contact Us

    [email protected]

    Worcester, MA | 866-304-4300

    Boston, MA | 508-365-3630

    Providence, RI | 401-735-1956

    Hartford, CT | 860-560-8000

    Compliance

    MGL 201.CMR.17

    Massachusetts 201.cmr.17 has been the law since 2009 and how it applies to you.

    After a decade of continued and accelerated data breaches, hacks, theft, personal data theft and more, in 2005 201.cmr.17 came into effect. This law is designed to protect a citizen of Massachusetts no matter where they are in the world.

    MGL 201.cmr.17

    What is 201.cmr.17 about?

    The law in its entirety is about protecting the individual citizens personal information and the safe guards the businesses who have that information are required to do to keep it safe. 

     

    From requiring a firewall, antivirus, endpoint protection, password protection and more, businesses need to protect that data at all reasonable costs, including doing what they can to protect the data even when they lose control of that data. 

    The law and the requirements:

    Who is covered? 

     

    The law: 17.03:

    Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program
    that is written in one or more readily accessible parts and contains administrative, technical, and
    physical safeguards that are appropriate to:
    (a) the size, scope and type of business of the person obligated to safeguard the personal
    information under such comprehensive information security program;
    (b) the amount of resources available to such person;
    (c) the amount of stored data; and
    (d) the need for security and confidentiality of both consumer and employee information.
    The safeguards contained in such program must be consistent with the safeguards for
    protection of personal information and information of a similar character set forth in any state
    or federal regulations by which the person who owns or licenses such information may be regulated. 

     

    Anyone who has any citizens data must comply.

    Information security plan – Required

     

    Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to: (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.

     

    The days of hoping are over, all entities are required to have a plan in place.

    Healthcare Data Disaster Plan – Required

     

    What’s your plan in the case of an incident? HIPAA requires businesses to “Establish (and implement as needed) procedures to restore any loss of data.” You need to document how you will protect and recover patient data at a minimum. Stronger plans include communication, alternative sites, and business operations afterward to keep your organization functioning.

    Computer System Requirements – Required

     

    Every person that owns or licenses personal information about a resident of the
    Commonwealth and electronically stores or transmits such information shall include in its
    written, comprehensive information security program the establishment and maintenance of a
    security system covering its computers, including any wireless system, that, at a minimum, and
    to the extent technically feasible.

     

    Usernames, password, tokens, biometric and more are required. No more passwordless systems and auto login.

    Physical Restrictions – Required

     

     Secure access control measures that:
    (a) restrict access to records and files containing personal information to those who need
    such information to perform their job duties; and
    (b) assign unique identifications plus passwords, which are not vendor supplied default
    passwords, to each person with computer access, that are reasonably designed to maintain
    the integrity of the security of the access controls.

     

    Leaving paperwork on a desk and going home isn’t an option. Data about a citizen should not be accessible by anyone who should not have access it it.

    Encryption of email, disks, storage that contain citizens information. – Required

     

    Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly. 

     

    You transport it, you must secure it. 

    Monitoring – Required

     

    Reasonable monitoring of systems, for unauthorized use of or access to personal
    information.

     

    Notifications of what not to do is no longer acceptable, you access it, you log it.

    Firewalls, patches and maintenance – Required

     

    For files containing personal information on a system that is connected to the Internet, there
    must be reasonably up-to-date firewall protection and operating system security patches,
    reasonably designed to maintain the integrity of the personal information

     

    Those pesky windows notifications and apple updates are now required, sometimes on a weekly basis depending on risk.

    Antivirus / Endpoint Protection – Required

     

    Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. 

     

    Free antivirus, free antimalware is no longer acceptable, You need legitimate and solid protection against viruses and theft. 

    Training – Required

     

    Education and training of employees on the proper use of the computer security system and the importance of personal information security.

     

    Employees must be made aware of security threats, phishing and intrusions. 

    Bottom Line with 201.cmr.17

    If you have the data of a citizen of the Commonwealth, you need to protect it, no matter where you are in the world. Not only does it help you meet compliance it is a great idea to protect your own intellectual property.

    Triton Technologies

    Get an IT infrastructure that supports your clients and meet compliance. Meet with us today.