|
Massachusetts Privacy Law
Massachusetts
recently enacted
the strictest Data Security Laws
in the nation.
Massachusetts General Law Chapter 93H,
and the regulations 201 CMR 17.00 that implement it,
took effect on March 1, 2010.
Read the New Regulations
Here
See MA Office of Consumer Affairs & Business
Regulation
(OCABR) Checklist
here
After more than two years of debate there is
no more delay. Instead of getting less restrictive during the debate,
these laws have become more onerous for business in the Commonwealth.
As if running a business
was not hard enough
This Law could put you out of Business.
Call Us
508.285.5080
877.789.5893
Email: Info@actco.com
These requirements
go well beyond
the current Credit Card Industry’s
PCI Compliance Rules.
Important Note: We are not
attorneys and this information is not intended to provide legal advice
in any way. This is not the complete regulation, but rather highlights
of what we felt were the most important sections. If you need legal
advice please contact an attorney. If you need help collecting data,
writing procedures, training staff, or securing your systems, then we
can help your company become compliant.
Scope -
The provisions of this regulation apply to all persons that own,
license, store or maintain personal information about a resident of the
Commonwealth.
Person,
a natural person, corporation, association, partnership or other legal
entity, other than an agency, executive office, department, board,
commission, bureau, division or authority of the Commonwealth, or any of
its branches, or any political subdivision thereof.
Personal information, a
Massachusetts resident's first name and last name or first initial and
last name in combination with any one or more of the following data
elements that relate to such resident:
(a)
Social Security number;
(b)
Driver's license number
or state-issued
identification card number; or
(c)
Financial account number,
or credit or debit card
number, with or without any required security code, access
code, personal identification number or password, that would permit
access to a resident’s financial account; provided, however, that
“Personal information” shall not include information that is lawfully
obtained from publicly available information, or from federal, state or
local government records lawfully made available to the general public.
Record or Records, any material upon which written, drawn, spoken,
visual, or electromagnetic information or images are recorded or
preserved, regardless of physical form or characteristics.
Duty to Protect and Standards for Protecting
Personal Information
Every person that owns, licenses, stores or maintains
personal information about a resident of the Commonwealth shall develop,
implement, maintain and monitor a comprehensive, written information
security program applicable to any records containing such personal
information. Such comprehensive information security program shall be
reasonably consistent with industry standards, and shall contain
administrative, technical, and physical safeguards to ensure the
security and confidentiality of such records. Moreover, the safeguards
contained in such program must be consistent with the safeguards for
protection of personal information and information of a similar
character set forth in any state or federal regulations by which the
person who owns, licenses, stores or maintains such information may be
regulated.
Key Factors:
The size, scope and type of business of the person obligated to
safeguard the personal information under such comprehensive information
security program,
·
the amount of
resources available to such person,
·
the amount of
stored data, and
·
the need for
security and confidentiality of both consumer
and employee information.
Without
limiting the generality of the foregoing, every comprehensive
information security program
shall include, but shall not
be limited to:
(a)
Designating one or
more employees to design, implement and coordinate the maintenance of
the comprehensive information security program;
(b)
Identifying and
assessing internal and external risks to the security, confidentiality,
and/or integrity of any electronic, paper or other records containing
personal information in each relevant area of the person’s operation,
and evaluating and improving, where necessary, the effectiveness of the
current safeguards for minimizing such risks,
including but not limited to:
1.
ongoing employee
(including temporary and contract employee) training; monitoring
employee compliance with policies and procedures;
2.
upgrading information
systems, including network, system and software design, as well as
information processing, storage, and transmission, as necessary;
3.
storage of records
and data in locked facilities, storage areas or containers; and
improving, as necessary, means for detecting, preventing and
4.
responding to
security, including but not limited to security systems, failures.
(c)
Developing security
policies for employees who telecommute that take into account whether
and how such employees should be allowed to keep, access and transport
data containing personal information.
(d)
Imposing
disciplinary measures for violations of the comprehensive information
security program rules.
(e)
Preventing
terminated employees from accessing records containing personal
information by immediately terminating their physical and electronic
access to such records, including deactivating their passwords and user
names.
(f)
Taking reasonable
steps to verify that third-party service providers with access to
personal information have the capacity to protect such personal
information, including
1.
selecting and
retaining service providers that are capable of maintaining safeguards
for personal information; and
2.
contractually
requiring service providers to maintain such safeguards. Prior to
permitting third-party service providers access to personal information,
the person permitting such access shall obtain from the third-party
service provider a written certification that such service provider has
a written, comprehensive information security program that is in
compliance with the provisions of these regulations.
(g)
Collecting the minimum amount of personal information necessary to
accomplish the legitimate purpose for which it was collected; retaining
such information for the minimum time necessary to accomplish such
purpose; and permitting access to the smallest number of persons who are
reasonably required to know such information in order to accomplish such
purpose.
(h)
Inventorying paper, electronic and other records, computing systems, and
storage media, including laptops and portable devices used to store
personal information, to identify those records containing personal
information.
(i)
Regularly monitoring and auditing employee access to personal
information in order to ensure that the comprehensive information
security program is operating in a manner reasonably calculated to
prevent unauthorized access to or unauthorized use of personal
information.
(j)
Reviewing the scope of the security measures at least annually or
whenever there is a material change in business practices that may
reasonably implicate the security or integrity of records containing
personal information.
(k)
Documenting responsive actions taken in connection with any incident
involving a breach of security or the potential thereof, and mandatory
post-incident review of events and actions taken, if any, to make
changes in business practices relating to protection of personal
information.
Where do we start?
Phase 1 - Collect, Catalog, Evaluate, Designate
Collect
·
What Personal
Information do we have?
·
Who has it?
·
Where and how is it
obtained?
Catalog
·
Where and how is it
stored?
·
Who has access?
Evaluate
·
Do we need it?
·
How long do we need
to keep it?
·
How will it be
destroyed?
Designate
·
Who is responsible
for its safety?
·
Who is responsible
for the destruction?
Phase II – Review & Document
Phase III – Develop a Written Plan
Phase IV – Implementation
Phase V – Testing, Review, Revision
|