The Massachusetts Offices of Consumer Affairs and Business Regulations (OCABR) passed strict data privacy and security regulations ‘201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH’ that went into effect March 1, 2010 to protect the personal information of Massachusetts residents by requiring businesses to have a multitude of safeguards including a comprehensive Written Information Security Policy (WISP). Effective March 1, 2012, any company, in any location, that holds the personal information of Massachusetts residents must amend its existing third party vendor contracts to require compliance with Massachusetts data security regulations. The law is available at: http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf. Continue reading
The Massachusetts Offices of Consumer Affairs and Business Regulations (OCABR) recently passed regulations that went into effect March 1, 2010 and are aimed at safeguarding the personal information of Massachusetts residents by requiring a business to have a Written Information Security Program (WISP) to protect personal information.
The STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH cover any business that “receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of good or services or in connection with employment.”
The rules defined personal information as a Massachusetts resident’s name combined with a social security number, driver’s license or state issued ID card, or a financial account.
The regulations also apply to third parties and require that there be contracts to ensure that the regulations are implemented and maintained, although the contracts did not need to be updated before March 1, 2012. It appears that Massachusetts takes the position that the rules apply to out of state firms that handles personal information as well.
A business that is regulated by these rules must have and implement a comprehensive Written Information Security Policy, or WISP. The rules do not specify exact policies but provides minimum requirements and indicates a business should take certain a number of factors into account such as the kind of records it maintains and the risk of identity theft.
Some of the things a business must do includes a review of foreseeable internal and external risks, evaluation and improvement of safeguards, policies for employee access outside of the business, implementing security measures such as password control and up to date firewall, employee training, ensuring that terminated employees cannot access confidential data as well as disciplinary measures for violations of the regulations.
This new law has been described as the toughest in the nation, and should go a long ways toward improving privacy and data security and fighting identity theft. A text of the new regulations can be viewed at: http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf.
With these strict information security regulations now in effect in Massachusetts, employers need to ensure that their background screening firms are in compliance, Employment Screening Resources (ESR) — a leading background check provider — maintains compliance with the new private information protection in Massachusetts. For more information on privacy and data security as it relates to background checks, contact Employment Screening Resoruces at http://www.ESRcheck.com.
A text of the new regulations can be viewed at: http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf.