Technical Brief December 2008
Understanding What the Massachusetts New Privacy Standards Means to You
By May 1, 2009 essentially all businesses in Massachusetts (and many out of the state as well) will need to comply with the states new and stringent privacy standards. The regulation, called the 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, leaves barely anyone exempt. The standards must be met by persons or businesses who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts. And not only do these standards apply to electronic records, by paper records as well. It's critical for businesses to understand and comply with the standard, as non-compliance or breach of information can result in fines up to $5,000 per violation.
Anyone who meets the criteria outlined by the standards will need to develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information. In short the program will require the person or business to:
- designate an one or more employees to oversee the program,
- identify data at risk,
- evaluate the security safeguards,
- develop and implement security policies
- implement employee policies and procedures,
- verify that third-parties with access to personal information have the capacity to protect it,
- require an audit/inventory to identify paper, electronic and other records, computing systems, and storage media to determine which records contain personal information,
- regularly monitor to ensure that the security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrade information safeguards as necessary to limit risks,
- review the scope of the security measures on at least an annual basis or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information,
- document incident responses involving a breach of security, and changes in business practices resulting from the incidents.
Learning
