NEW MASSACHUSETTS RULES REQUIRE INFORMATION SECURITY PLANS AND PROCEDURES.

REQUIREMENTS ARE EFFECTIVE ON JANUARY 1, 2009

If your business has, in electronic or paper form, any personal information about any Massachusetts residents, you are required to draft, implement, and update acomprehensive written information security plan.  You are also required to implement specified computer system security protections.  Failure to do so will place your business out of compliance with state law.  These regulations are among the most far reaching in the country.

The official title of the regulations is “201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth.”

The new regulations have a broad coverage – they extend to any company or individual that “owns, licenses, stores or maintains personal information.”  There is no exception for small businesses.

“Personal information” in the regulations is defined as a Massachusetts resident’s first and last name, or first initial and last name, together with his or her Social Security number, driver’s license or state-issued ID number, bank or other financial account number, or credit or debit card number. Personal information may also include PIN numbers, passwords, or biometric information.

Personal Information Protection Obligation

The rules require covered companies to draft and implement a “comprehensive, written information security program.”  

The program must include:

• Designate one or more employees to be in charge of information security
• Assess the risk to the security, confidentiality, and/or integrity of electronic, paper or other records and the effectiveness of current risk mitigation procedures
• Create security policies for employees that cover access and use of information
• Impose disciplinary sanctions for employees who violate the program requirements
• Reliably terminate access to records by former employees
• If your business uses outside vendors that hold personal information, verify that service providers are capable of protecting personal information and are contractually obligated do so
• Limit the amount of personal information that your business collects to that necessary to accomplish the purpose for which the data is obtained. Also limit the time the information is held to that reasonable necessary for its purpose
• Identity systems and storage media, including devices and portable computers, that contain personal information
• Secure records on physical media by locked storage and restrict access to personal information under written procedures
• Monitor security procedures regularly and, as appropriate, upgrade them
• Review the security procedures and measures for personal information at least once per year – or more frequently as necessary and deficiencies revealed in the review
• Document security breaches and measures take in response

Computer System Security Requirements

The new regulations also impose computer system security requirements on any business that owns, licenses, stores or maintains personal information about a Massachusetts resident.  The requirements include:

Authentication requirements, including:

• Secure user authentication protocols, including passwords or other identification technologies, such as biometrics or tokens.
• Data security passwords controls.
• Access restrictions to insure use by active users and active user accounts only.  
• Access shut downs that block access to user identification after multiple unsuccessful attempts to gain access. 

Access control measures , including:

• Restricting access to records on a need-to-know basis.
• Assigning unique (and non-vendor supplied) passwords to authorized personnel.
• Encryption of records that pass through public networks using no less than 128 bit encryption.
• Encrypted storage of personal information on portable devices and laptops.
• Use of firewall and keeping operation systems up-to-date with security patches.
• Use of malware and virus scanning software that regular update virus definitions and security patches.
• Training for employees on the proper use of the computer security system and the importance of personal information security.

All business should bring data policies and security systems into compliance with these regulations as soon as possible. Here is why:

• In case of non-compliance, the Massachusetts Attorney General can sue to terminate violations.
• Stakeholders, such as customer and employees, expect robust data security – and these regulations reinforce that expectation.   Breach of security can harm customer confidence in your business. 
• If your company is party to contracts that require your company to hold data and to “comply with applicable law,” failure to comply with the regulations may constitute a breach of contract on your company’s part.
• In some cases, failure to comply with the regulations may be deemed evidence of negligence.

UPDATE - DEADLINE CHANGED for Implementation of New Massachusetts Rules Requiring Information Security Plans and Procedures

This Update is about a reset of the deadline for compliance with the important new Massachusetts regulations on personal data and computer system security.

RIW recently distributed a Client Alert entitled "New Massachusetts Rules Require Information Security Plans and Procedures" explaining the sweeping new rules and noting that the deadline for compliance for 201 CMR 17.00 was January 1, 2009. That date is now changed. Due to many complaints about the short time for businesses to implement such comprehensive requirements, Massachusetts has set new deadlines:

• Compliance deadline for the regulation as a whole
• Requirement that businesses ensure that their third-party service providers protect personal information and contractually bind them to do so

• Requirement that businesses require that their third-party providers provide written certification of information security compliance
• Deadline for ensuring encryption of other portable devices (such as smart phones Blackberries, and memory devices)

• Deadline for ensuring encryption of laptops

Even with these changes, businesses that hold or manage personal data have a relatively short time to bring their data security plans and data systems into compliance.

SOLUTION:

http://www.truecrypt.org/

Free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X, and Linux

Corporations can use True-Crypt for professional use, without any concern for licensing!
Meaning you can save THOUSANDS on software costs. 

Do You Want To Do What I Do, or Do Want Me To Do What I Do For You?

As the years go on, new technology comes about that makes our lives easier. Many of us are stuck in the past and are prone to using technology, that really isn’t technology any longer.  The PC’s that we were given to make our lives easier came with an Operating System and programs to make that happen.

Now, if you continue to use those same programs year after year, you are essentially defeating the purpose of the advancement of technology.

I spend countless hours researching and testing the newest and most efficient systems to squeeze the most out of newer technology. This makes me more efficient, and allows me to enjoy what I do more.  The only downside about technology advancement is when you see others using antiquated ways to accomplish a task or goal.

What That Means for You:

I am considering setting up a program that would basically put me in charge of your Technology. As I explore new programs and adopt them to my standard of working, I can share the information with you, or even do the same for you.

An example of what I mean is:

• Many of you are using: Windows XP - - then there was Vista - -I currently use Windows 7
  
  
• Many of you are using: Office 2003  - - then there was Office 2007 - - I currently use Office 2010
  
  
• Your cell phones might be named after a fruit  - - I currently use one that integrates everything between office and mobile life
  
  
• All my PC’s and phone auto back up data so even if a herd of elephants trampled my office and phone, I can resume again in mere minutes
  
  
• I move about the country and never have to worry about accessing my files, there are not just in one place, they are where ever I need them, automatically

It is easy for me to stay up to date on the latest technology, but to do that for you, requires a bit of dedication, and willingness to change.

You can Do what I Do:

I can simply share the information with you as it happens for me, but you will need to take all the steps on your own time. And unfortunately, if you decide skip one technology enhancement, you might as well give up on the rest.

OR

I can do what I do for You:

I can actually do the same things I do for me, but for you.

I will simply duplicate my efforts and invest the time to get your technology current. That means you will receive notifications that it’s time to update, I will login in and take care of the updates for you. For really specialized needs, this may require acquiring new machines, and dropping the fruity phones for a real one.

Program costs have not been determined yet, but it would be a monthly service based on the amount of time I need to spend per computer you own. I can estimate that this program would start at $100 monthly, but keep in mind, the benefits of the time saved, increased productivity, and error reduction & efficiency will far exceed the cost.

I want to try to have at least 5-10 firm commitments before rolling this program out. Consider sharing this with associates and other offices and please share your thoughts with me directly.

Regards,

Brad Durbin
(508) 332-4883
brad@retro-vision.net