Mass 201 CMR 17 is a regulation in Massachusetts that establishes standards for the protection of the personal information of residents of the state. The regulation applies to any person or business that owns, licenses, stores, or maintains personal information about a Massachusetts resident, including businesses that operate outside of the state but have customers or employees in Massachusetts. It requires organizations to implement specific security measures, such as encryption and firewalls, to protect personal information, and to notify individuals and the attorney general in the event of a data breach. In an effort to protect Massachusetts residents from the rising incidence of fraud and identity theft from data loss, the State of Massachusetts has implemented aggressive regulatory requirements to protect personal information. The state now requires mandatory compliance with 201 CMR 17.00 – Standards for the Protection of Personal Information of Residents of the Commonwealth (also known as just 201 CMR 17, or the Massachusetts Privacy Law). Massachusetts Privacy Law establishes a minimum standard to be met for the protection of Massachusetts residents’ personal information contained in both paper and electronic records. For the purpose of being compliant with the new Massachusetts data privacy law, PI is defined as a resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to the resident:
Social Security number; driver’s license number or Massachusetts identification card number; financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number, or password that would permit access to a resident’s financial account; or a biometric indicator.
The Massachusetts data privacy law has set a new level in state security laws by regulating both private and public sector entities that handle Massachusetts residents’ sensitive data, regardless of where that entity is located. The law is intended to bring entities into alignment with both federal and industry security laws, including the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) enforced by the Federal Trade Commission (FTC) and Payment Card Industry Data Security Standards (PCI-DSS) security standards overseen by the PCI Security Standards Council. Its process and technical controls are aimed at preventing criminal activity from causing data breaches of either paper or electronic records containing PI. The requirement of securing electronic records includes PI on databases, laptops, applications, portable devices, and just about any other system in which electronic PI data can be either in transit or at rest.
Does Mass 201 CMR 17 Apply to me?
All persons, corporations, associations, partnerships, or other legal entities with systems containing Massachusetts residents’ personal information in transit or at rest are responsible for complying with the 201 CMR 17 regulations by March 1, 2010. However, the regulations also require businesses to complete internal and external security risk assessments prior to the effective date. The regulation applies regardless of whether the entities or the data is either inside or outside state borders, and applies equally to private and public sector organizations.
What If I do not comply?
The penalties for non-compliance with 201 CMR 17 are enforced through Massachusetts General Law Title XV: Regulation of Trade, chapter 93A, section 4. Violators may be faced with a civil penalty of $5,000 for each violation, are required to pay the reasonable costs of investigation and litigation of such violation (including reasonable attorney’s fees), and are subject to additional civil action since 201 CMR 17 creates a baseline standard that allows plaintiffs in civil suits to argue that a business that lost data was negligent. Title XV also requires any data breach be reported to both the Office of Consumer Affairs and Business Regulation (OCABR) and the Attorney General.
What you need to be Mass 201 CMR 17 compliant:
The new Massachusetts Privacy Law requires the following criteria be met:
- An internal and external risk assessment of the human, physical, technical environment based on the criteria outlined in 201 CMR 17
- The computer security provisions in the regulation use a risk-based approach that comply to the extent that it is technically feasible, meaning that reasonable means must be used to accomplish a required result if there is a reasonable technology is available
- The results of the internal and external risk assessments must be documented in a Written Comprehensive Information Security Program (WISP)
- The scope of the WISP must be reviewed at least on an annual basis or whenever there is a change in business practices that may impact security controls
The OCABR published the 201 CMR 17 Compliance Checklist as an aid to be used by either organizations themselves or their auditors when conducting their risk assessment. However, additional guidance on how and where to submit risk assessment results is expected from the state prior to the March 2010 deadline.
Article is Compliment of Rapid7