201 CMR 17.00 - The Massachusetts Data Protection Law
The Law is Real -
Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts, 201 CMR 17.00
The Law is Here
Every organization who collect, owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.
The Law has Teeth -
If you need motivation to move towards compliance, Massachusetts General Law, Chapter 93A, section 4 specifically authorizes the Attorney General to seek injunctive relief against the organization involved in the unauthorized act or practice. In addition, section 4 allows a court to impose a $5,000 civil penalty for each violation and if ‘violation‘ is interpreted to mean the unauthorized access to a single individual’s personal information, the potential damages could be enormous.
Key Elements of 201 CMR 17.00:
- The personal information requiring protection has been specifically defined;
- All records of “personal information” must be protected and are defined as any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics;
- A “breach of security” is defined as “the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information that creates a substantial risk of identity theft or fraud against a resident of the Commonwealth;
- When a breach of security occurs, notice must be given to the Attorney General and to the Director of Consumer Affairs and Business Regulation and to the individual whose personal information was acquired without authority;
- Every organization that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive written information security program that is “consistent with industry standards” and contains “administrative, technical, and physical safeguards to ensure the security and confidentiality” of records containing personal information;
- Safeguards must be consistent with the safeguards for protecting personal information which are “set forth in any state or federal regulations by which the organization who owns, licenses, stores or maintains such information may be regulated;
- Each comprehensive ‘written’ information security program requires the organization to develop a number of written policies and procedures defining:
- Control of user IDs
- Secure method of assigning and selecting passwords
- Secure method of protecting passwords
- Restrict access to active users only
- Blocking access to user ID after multiple unsuccessful attempts
- Restrict access to records and files only to those who need it
- Assign unique ID & passwords
- Encrypt all records containing personal information transmitted across public networks
- Monitoring of systems for unauthorized use
- Encrypt all data containing personal information to be transmitted wirelessly
- Encryption of all personal information stored on laptops or other portable devices
- Implement firewall protection for personal information on a system connected to the Internet
- Apply OS security patches for files containing personal information on systems connected to the Internet
- Deploy malware/virus protection
- Apply up-to-date patches on security agent software
- Develop a written information security program to protect personal information
- Establish a means for detecting and preventing security system failure
- Secure storage and back-up of data
- Annual review of security measures
- Control of user IDs
- Refer to 201 C.M.R. 17.00 for a complete listing of the comprehensive information security program and computer system security requirements.
Sound Familiar?
It Should … ISO/IEC 27001:2005 directly covers 95% of the 201 CMR 17.00 requirements without modification and with a few specific requirements added to support the prescriptive requirement to encrypt personal information, ISO/IEC 27001:2005 provides a truly comprehensive information security program that will stand-up to the next round of state and/or federal regulations.
Compliance and Certification to ISO/IEC 27001:2005 makes more sense now than ever before. Especially since IT Governance’s ISO/IEC 27001 ISMS Documentation Toolkit, version 2.1 has been revised to include all the requirements from 201 CMR 17.00.
Revision 2.1 of the Standalone ISO/IEC 27001 ISMS Documentation Toolkit contains:
- Copy of 201 CMR 17.00
- Copy of FAQs from the Massachusetts Office of Consumer Affairs and Business Regulation
- Mapping of the requirements within 201 CMR 17 with ISO/IEC 27001:2005
- Model Information Security Policy and model Statement of Applicability
- Pre-written Information Security Manual
- vsRisk and RA2 Risk Assessment Tool Integration Templates (but not vsRisk or RA2 themselves)
- Business Continuity Plan
- Service Level Agreement Template
- 450+ pages of fit-for-purpose information
- 120+ pre-written policies, procedures, templates and guidance including 201 CMR 17 requirements
- Internal audit and Corrective and Preventive Action, CAPA, documentation
- Implementation manager guidance
- Enterprise security assessment tool
- Gap analysis/ISO/IEC 27001 Audit tool
- 'What is ISO27001/ISO27002?' (project staff training slides)
- PDCA and documentation pyramid presentation
