Geek: 201 CMR 17.00 M.G.L. c. 93H
The following is a Geek to English of the new Mass Privacy Regulations. All quotes are taken from 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH.
When does it start?
Originally this regulation was due to start on January 1 2009 but that was to short a time frame for implementation so the state changed it to March 1, 2010. It should be noted that the state has said that it will not move the deadline again.
Who is affected?
This is the most important question that all businesses must answer. Luckily it is very easy to figure out.
Geek: This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.
English: If your business is in possession (either on paper or electronically) of a Massachusetts resident personal information you are affected. Personal Information is defined as:
A Mass residents first name (or initial) and last name with one or more of the following:
- Social Security number.
- Driver’s license number or state issued ID card number.
- Financial account number or credit or debit card number.
How long will it take me to become compliant?
While it will depend on how far you are from compliant to start, generally you should plan on it taking 2-4 months to prepare.
How much will it cost?
Some early estimates we have heard to include legal, technical, training and documentation range from $4,000 to $10,000.
What are the technical requirements of the new regulation?
There are 8 major topics that the regulation outlines:
- Strong passwords and good password management and restricting access to only active users. (Geek: Secure user authentication protocols.)
- Restrict access (with strong passwords) to personal information to only those who need such information to do their job. (Geek: Secure access and control measures.)
- Encrypt all data (personal information) that will go out over the Internet or over any wireless network. (Geek: 5 To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.)
- Monitor you network to make sure no one breaks in—external or internal. (Geek: Reasonable monitoring of systems, for unauthorized use of or access to personal information.)
- Encryption of all personal information stored on laptops or other portable devices. (Geek: Encryption of all personal information stored on laptops or other portable devices.)
- Maintain a working, updated firewall and keep your operating systems (Windows XP, Windows Vista etc.) current with the latest updates. (Geek: Reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.)
- Have active and currently updated Anti-Virus software running on all systems. (Geek : Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions.)
- Education and training of employees on the proper use of the computer security system and the importance of personal information security. (Geek: Education and training of employees on the proper use of the computer security system and the importance of personal information security.)
What are the non-technical aspects of the regulation?
Please download and read the full regulation here…
Does Atlas Technology Consulting have any booklets or guides that would help me learn more about this new regulation?
Yes—we are selling a booklet to help guide you through the process.
The above is meant only as a brief outline. There are many details of the regulation that we have not covered here. We recommend consulting with your attorney and IT professionals to make sure you are compliant.