Massachusetts has new privacy regulations that went into effect on March 1, 2010. These regulations affect almost all entities, except for government bodies, that have private information for any resident of Massachusetts whether or not the entity has an office within the state. Specifically, the regulations, commonly called 201 CMR, apply to entities that collect and store sensitive information that must be kept private. Here is a link provided by the state with general information regarding the regulation: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf.
In order to comply, a company must institute a security program designed to protect sensitive information associated with a person’s name: Social Security numbers, driver license numbers, credit card numbers and any financial/banking institution accounts and associated credentials. These elements must be protected whether they are stored on paper or electronically. The regulations provide for stiff fines for non-compliance or security breaches.
To protect this information, entities have to meet requirements such as: a written data privacy policy, functioning firewalls and anti-virus/anti-spam software, applicable security updates on all computers, and encryption of all wireless communications. Companies need to designate an individual to be responsible for the security program. In addition, encryption is required for protected elements that are passed to and from the Internet, are placed on laptops or on any other device (USB drive, thumb drive, etc.) that can leave the firm’s premises. Access to the protected data must be limited to those whose job functions require that access and data access must be protected by security policies that require strong passwords that are regularly updated. Users must also receive training on the policy.
Even the smallest companies can be put at great financial and reputational risk if there is a breach. Breaches need to be disclosed and non-disclosure could lead to even larger fines.
If you would like a tutorial or consultation on how your organization can have an effective policy, please email me at ed.mchugh@tekexpertise.com.
