‘201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH’ that went into effect March 1, 2010 to protect the personal information of Massachusetts residents by requiring businesses to have a multitude of safeguards including a comprehensive Written Information Security Policy (WISP). Effective March 1, 2012, any company, in any location, that holds the personal information of Massachusetts residents must amend its existing third party vendor contracts to require compliance with Massachusetts data security regulations. The law is available at: http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf. The Massachusetts law 201 CMR 17.00 covers any business that “receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of good or services or in connection with employment.” The rules define “personal information” as a Massachusetts resident’s name combined with financial, bank, or credit card account, driver’s license, or social security numbers. The regulations also applied to third parties and required that there be contracts to ensure that the regulations are implemented and maintained, although the contracts did not need to be updated before March 1, 2012. Massachusetts rules apply to out of state firms that handle personal information as well. The Massachusetts regulations required companies handling personal information to adopt several administrative, technical, and physical safeguards, including computer system security requirements that involve encryption of personal information on laptops and other portable devices as well as data transmitted across public networks or wirelessly. Businesses regulated by these rules must also implement a comprehensive Written Information Security Policy (WISP) that included the following elements:
- Designation of Employee(s) to Maintain the WISP Program.
- Identification and Assessment of Internal and External Risks.
- Restricting Physical or Electronic Access to Personal Information.
- Verifying Third-Party Service Providers can Protect Personal Information.
- Collection, Access, and Retention Standards for Personal Information.
- Access, Storage, Use, and Disclosure of Personal Information.
- Review, Responsive Action, and Documentation of Responsive Action.
- Destruction of Personal Information No Longer Needed.
- Employee Training on WISP Program.
- Monitoring the WISP Program.
- Review of WISP Program.
4 Comments