MA Regulations Require Businesses to Have Information Security Program to Protect Personal Information
By Lester Rosen, ESR President
The Massachusetts Offices of Consumer Affairs and Business Regulations (OCABR) recently passed regulations that went into effect March 1, 2010 and are aimed at safeguarding the personal information of Massachusetts residents by requiring a business to have a Written Information Security Program (WISP) to protect personal information.
The STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH cover any business that “receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of good or services or in connection with employment.”
The rules defined personal information as a Massachusettss resident’s name combined with a social security number, drivers license or state issued ID card, or a financial account.
The regulations also apply to third parties and require that there be contracts to ensure that the regulations are implemented and maintained, although the contracts did not need to be updated before March 1, 2012. It appears that Massachusetts takes the position that the rules apply to out of state firms that handles personal information as well.
A business that is regulated by these rules must have and implement a written comprehensive information security policy, or WISP. The rules do not specify exact policies but provides minimum requirements and indicates a business should take certain a number of factors into account such as the kind of records it maintains and the risk of identity theft.
Some of the things a business must do includes a review of foreseeable internal and external risks, evaluation and improvement of safeguards, policies for employee access outside of the business, implementing security measures such as password control and up to date firewall, employee training, ensuring that terminated employees cannot access confidential data as well as disciplinary measures for violations of the regulations.
This new law has been described as the toughest in the nation, and should go a long ways toward improving privacy and data security and fighting identity theft. A text of the new regulations can be viewed at: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf.
With these strict information security regulations now in effect in Massachusetts, employers need to ensure that their background screening firms are in compliance, Employment Screening Resources (ESR) – a leading background check provider – maintains compliance with the new private information protection in Massachusetts. For more information on privacy and data security as it relates to background checks, contact Employment Screening Resoruces at http://www.ESRcheck.com.
Source:
A text of the new regulations can be viewed at: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
[...] the article here: ESR NEWS: Employment Screening Information for Employers » MA … July 27, 2010 | admin | Tags: business-should, exact-policies, Information Security, [...]
Pingback by ESR NEWS: Employment Screening Information for Employers » MA … » Vidya 2 — July 27, 2010 @ 11:31 pm
[...] ESR NEWS: Employment Screening Information for Employers » MA … [...]
Pingback by Free Download Latest Update Comodo Internet Security 4.1.150349 | Sarkem.Net — July 27, 2010 @ 11:35 pm
[...] This post was mentioned on Twitter by MyTruSeal and TruDiligence, Employment Screening. Employment Screening said: ESRCheck Blog Update MA Regulations Require Businesses to Have Information Security Program to Protect Personal Info… http://ow.ly/18jRRx [...]
Pingback by Tweets that mention ESR NEWS: Employment Screening Information for Employers » MA Regulations Require Businesses to Have Information Security Program to Protect Personal Information -- Topsy.com — July 28, 2010 @ 5:10 am