The Massachusetts Privacy Law (201 CMR 17.00):

What it means to you, steps you need to take, and how we can help

The new Massachusetts Privacy Law requires a significant overhaul of administrative and security processes for many companies, and the deadline is just around the corner: March 1, 2010. To help you understand this new law and what you need to do to comply, we’ve put together this summary. You can also download a copy of the law if you want to review the actual wording.

The New Massachusetts Privacy Law: Does It Apply to YOU?
The new regulations apply to those engaged in commerce. Specifically:

• It applies to all persons (and persons includes corporations, partnerships and other legal entities) that “own or license” personal information from a resident of the Commonwealth.  “Owns or licenses” means:  “Receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of goods or services directly to a person that is subject to this regulation.”

• “Personal information” to be protected includes a Massachusetts resident’s name (either first and last name or first initial and last name) combined with any one or more of the following:  (a) Social Security number; (b) driver’s license or other state-issued identification number; or (c) a financial account number or a credit or debit card number, with or without security code, access code, PIN, or password, that would permit access to a resident’s financial account. It does not include any information lawfully obtained from publicly available information or from federal, state or local government records lawfully made available to the general public—such as a person’s date of birth.

• The regulations apply not just to companies doing business in Massachusetts, but to any business that handles the personal information of Massachusetts residents. If you’re located in Vermont, New Hampshire, New York or any other state, if you handle personal information of Massachusetts residents, these regulations apply to you.

First priority: a Written Information Security Plan (WISP)
If the Massachusetts Privacy Law applies to you, you must develop, implement, maintain and monitor a comprehensive, written information security program (WISP) to ensure the security and confidentiality of personal information inboth physical and electronic format.The law states that the WISP must be appropriate to the company’s size and scope of business, availability of resources, nature and quantity of data stored, and the need for security and confidentiality of both consumer and employee information. We can walk you through the steps:

Assess your personal information
Thinking about creating a WISP can be overwhelming, and it certainly will take time and resources. RCS Consulting can help you come up with a comprehensive plan that encompasses these steps:

1. Identify records containing personal information of Massachusetts residents. While you are not required to “inventory” all paper and electronic records containing personal information, you will still need to identify which records contain personal information so you can protect and handle that information properly.

2. Review the way you currently collect, retain, and use personal information of Massachusetts residents. While you don’t need to specifically include this information in your WISP, in order to ensure compliance you will need to know how much personal information you collect, how long you keep it, and who in the organization has access to it. Some questions to ask:
1. What personal information do you collect?
2. Do you collect it in hardcopy or electronic form?
3. What becomes of this information?
4. What becomes of the completed forms used to initially collect the personal information?
5. If the personal information is stored electronically, who has access to it?  
6. How do you dispose of this information after it is no longer needed?

3. Institute and document corrective actions uncovered by this review. If the review uncovers any unauthorized access or unauthorized use of personal information, ensure that reasonable restrictions on access are in place, including safeguards for limiting your risk of both internal and external threats.

4. Designate a Data Security Coordinator. Under the law, one or more of your employees must be designated as an information security coordinator and charged with maintaining your information security plan. The responsibilities of the coordinator(s) should include:

1. Initial implementation of the plan
2. Initial training of employees including temporary and contract employees (annually thereafter) (more below)
3. Regular testing of the plan’s safeguards
4. Annual review of the scope of the plan or whenever there is a material change in business practices that may affect the security or integrity of records containing personal information (more below)
5. Evaluating the ability of third party service providers to comply with 201 CMR 17.00 (more below)

Assess your access to personal information
While the final regulations no longer require you to include a written procedure about how physical access to such records is restricted, the law does state that you need to have reasonable restrictions in place. We recommend that you:

• Lock up all hard copy records.
• Restrict access to those who need it to perform their job.
• Establish policies for off-site storage, access, and transportation of personal information.
• Make sure your computers guard against external threats (more below).
• Make sure your visitor procedures are secure. At the very least, require visitors to present a photo ID, sign in and wear a visible “Guest” tag or badge, and escort them in all areas of the facility where personal information is stored.

Assess your computer security
The State has declared that if a “technically feasible” means exists to electronically protect personal information, it must be used. Technical means do exist for you to ensure:

• Secure user authentication protocols. These protocols must include control of user IDs and other identifiers; a reasonably secure method of assigning and selecting passwords; control of password security; restricting access to active users; and blocking access after multiple attempts.
• Secure access control measures. These measures must include restricting access to records and files containing personal information to those who “need to know” to perform their jobs as well as assigning unique IDs and passwords (not shared nor vendor-supplied default passwords).
• Monitoring for unauthorized use or unauthorized access. Reasonable monitoring is required, and we can help you with a variety of ways to monitor, including intrusion detection tools, application logs, server firewalls, network security logs and file system auditing, to name a few.
• Firewall protection and OS patches. You must implement and maintain “reasonably up-to-date” firewall protection and operating system security patches for files containing personal information on a system that is connected to the Internet.
• Viruses and malware. You must implement and maintain “reasonably up-to-date” versions of system security agent software that includes malware protection and “reasonably up-to-date” patches and virus definitions, and you must be set up to receive the most current security updates on a regular basis.

Encryption is now required
Laptops, portable devices, backup tapes, email and public network and wireless transmissions containing personal information require encryption where it is “reasonable and technically feasible.”  You must:

1. Encrypt transmitted records containing personal info, including outgoing emails containing personal information, as well as personal information traveling across public networks or transmitted wirelessly.

2. Encrypt portable devices containing personal info. The State recognizes that at this point, there is little, if any, accepted encryption technology for most portable devices (cell phones, Blackberries, iPhones, Netbooks, etc.). But the State does stress that you should not place personal information at risk in the use of these devices. Technology to encrypt laptops exists.

3. Remember your web site.  You must verify as being secure any company or third party web portals onto which the personal information of Massachusetts citizens is entered.

Assess your vendors

• Evaluate the capacity of your third party service providers. The regulations require you to take reasonable steps to select and retain third party service providers who are capable of maintaining appropriate safeguards to protect personal information as set forth under 201 CMR 17.00, along with any applicable federal regulations. Service providers includes any vendors who handle personal information of Massachusetts citizens on your behalf (e.g., background check services, payroll services, life and health insurance providers, 401K administrator services, credit card processing firms, etc.)

• You must enter into written contracts with all third party service providers requiring them to implement and maintain appropriate security measures.  If a company or an individual utilizes a third party to handle data, the contract must include provisions for appropriate safeguards by March 1, 2010.  Existing contracts are not required to be updated before March 1, 2012, but new or renewal contracts executed after March 1, 2010 must include appropriate safeguard provisions.

Employee training and security
The law mandates that you:

• Train employees, including temporary and contract, on an ongoing basis in proper use of computer security system and the importance of personal information security. You should document their attendance at these training sessions and certify their familiarity with the company’s requirements for protection of personal information.

• Establish and enforce disciplinary measures for employees who violate the security program’s rules.

• Prevent terminated employees from accessing personal information. It is good practice to immediately terminate their physical and electronic access to such records, including deactivating their passwords and user names.

Ongoing monitoring is required
You will need to review information security policies for relevancy and efficacy on an annual basis (at a minimum) orwhenever there is a material change in business practices that may affect the security or integrity of records containing personal information.

Where to begin—we can help!

March 1 will be here before you know it. While you may find that your existing security policies cover many aspects of this new regulation, you may be still be a long way from compliance.

We can help you, both with evaluating your existing security and with filling the gaps between what you have and what you are required to have in place by March 1, 2010. Our IT experts can provide:

Review and assessment: We will evaluate your existing information privacy programs, and identify what you need to do to reach compliance. We can also help you create and document clear, concrete policies and procedures to bring you into compliance.

Recommendations: We will provide you with recommendations that you can act upon, and go over them step by step. We will identify risks, prioritize an action plan, and design and implement the technology systems that will allow you to meet the regulatory deadlines

.

Call or email today to set up an appointment. March 1 is sooner than you think!