After a decade of continued and accelerated data breaches, hacks, theft, personal data theft and more, in 2005 201.cmr.17 came into effect. This law is designed to protect a citizen of Massachusetts no matter where they are in the world.
The law in its entirety is about protecting the individual citizens personal information and the safe guards the businesses who have that information are required to do to keep it safe.
From requiring a firewall, antivirus, endpoint protection, password protection and more, businesses need to protect that data at all reasonable costs, including doing what they can to protect the data even when they lose control of that data.
The law: 17.03:
Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program
that is written in one or more readily accessible parts and contains administrative, technical, and
physical safeguards that are appropriate to:
(a) the size, scope and type of business of the person obligated to safeguard the personal
information under such comprehensive information security program;
(b) the amount of resources available to such person;
(c) the amount of stored data; and
(d) the need for security and confidentiality of both consumer and employee information.
The safeguards contained in such program must be consistent with the safeguards for
protection of personal information and information of a similar character set forth in any state
or federal regulations by which the person who owns or licenses such information may be regulated.
Anyone who has any citizens data must comply.
Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to: (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.
The days of hoping are over, all entities are required to have a plan in place.
What’s your plan in the case of an incident? HIPAA requires businesses to “Establish (and implement as needed) procedures to restore any loss of data.” You need to document how you will protect and recover patient data at a minimum. Stronger plans include communication, alternative sites, and business operations afterward to keep your organization functioning.
Every person that owns or licenses personal information about a resident of the
Commonwealth and electronically stores or transmits such information shall include in its
written, comprehensive information security program the establishment and maintenance of a
security system covering its computers, including any wireless system, that, at a minimum, and
to the extent technically feasible.
Usernames, password, tokens, biometric and more are required. No more passwordless systems and auto login.
Secure access control measures that:
(a) restrict access to records and files containing personal information to those who need
such information to perform their job duties; and
(b) assign unique identifications plus passwords, which are not vendor supplied default
passwords, to each person with computer access, that are reasonably designed to maintain
the integrity of the security of the access controls.
Leaving paperwork on a desk and going home isn’t an option. Data about a citizen should not be accessible by anyone who should not have access it it.
Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
You transport it, you must secure it.
Reasonable monitoring of systems, for unauthorized use of or access to personal
information.
Notifications of what not to do is no longer acceptable, you access it, you log it.
For files containing personal information on a system that is connected to the Internet, there
must be reasonably up-to-date firewall protection and operating system security patches,
reasonably designed to maintain the integrity of the personal information
Those pesky windows notifications and apple updates are now required, sometimes on a weekly basis depending on risk.
Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
Free antivirus, free antimalware is no longer acceptable, You need legitimate and solid protection against viruses and theft.
Education and training of employees on the proper use of the computer security system and the importance of personal information security.
Employees must be made aware of security threats, phishing and intrusions.
If you have the data of a citizen of the Commonwealth, you need to protect it, no matter where you are in the world. Not only does it help you meet compliance it is a great idea to protect your own intellectual property.
Triton Technologies