- The general compliance deadline for 201 CMR 17.00 has been extended from January 1, 2009 to May 1, 2009. The date is consistent with a new FTC Red Flag Rule, which requires financial institutions and creditors to develop and implement written identity theft prevention programs.
- The deadline for ensuring that third-party service providers are capable of protecting personal information and contractually binding them to do so will be extended from January 1, 2009 to May 1, 2009, and the deadline for requiring written certification from third-party providers will be further extended to January 1, 2010.
- The deadline for ensuring encryption of laptops will be extended from January 1, 2009 to May 1, 2009, and the deadline for ensuring encryption of other portable devices will be further extended to January 1, 2010.
The provisions of this regulation apply to all persons that own, license, store or maintain personal information about a resident of the Commonwealth in either paper or electronic form.
In a nutshell:
These regulations are more prescriptive than HIPAA, GLBA and SOX, and less prescriptive than the Payment Card Industry Data Security Standards. HOWEVER, most organizations that have come into compliance with PCI DSS are only concerned with cardholder data, however 201 CMR 17.00 defines "Personal Information" in this fashion:
"A Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:
(a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public."
If your organization owns, licenses, stores or maintains personal information about a resident of the Commonwealth in either paper or electronic form, you should quickly determine what course of action your organization needs to take. You should take note of the "ensuring encryption of other portable devices" requirement.
Links from Office of Consumer Affairs and Business Regulation:
201 CMR 17.00 Compliance Checklist
Small Business Guide for Formulating a Comprehensive Written Information Security Program
Frequently Asked Questions Regarding 201 CMR 17.00
Some excerpts from 201 CMR 17.00:
Develop, implement, maintain and monitor a comprehensive, written information security program.
Every comprehensive information security program shall include, but shall not be limited to:
(a) Designating one or more employees to maintain the comprehensive information security program;
(b) Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to:
- (i) ongoing employee (including temporary and contract employee) training;
- (ii) employee compliance with policies and procedures; and
- (iii) means for detecting and preventing security system failures.
(c) Developing security policies for employees that take into account whether and how employees should be allowed to keep, access and transport records containing personal information outside of business premises.
(d) Imposing disciplinary measures for violations of the comprehensive information security program rules.
(e) Preventing terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names.
(f) Taking reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information, including
- (i) selecting and retaining service providers that are capable of maintaining safeguards for personal information; and
- (ii) contractually requiring service providers to maintain such safeguards. Prior to permitting third-party service providers access to personal information, the person permitting such access shall obtain from the third-party service provider a written certification that such service provider has a written, comprehensive information security program that is in compliance with the provisions of these regulations.
(g) Limiting the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected; limiting the time such information is retained to that reasonably necessary to accomplish such purpose; and limiting access to those persons who are reasonably required to know such information in order to accomplish such purpose or to comply with state or federal record retention requirements.
(h) Identifying paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to determine which records contain personal information, except where the comprehensive information security program provides for the handling of all records as if they all contained personal information.
(i) Reasonable restrictions upon physical access to records containing personal information, including a written procedure that sets forth the manner in which physical access to such records is restricted; and storage of such records and data in locked facilities, storage areas or containers.
(j) Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.
(k) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
(l) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.
Computer System Security Requirements
Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements:
(1) Secure user authentication protocols including:
- (i) control of user IDs and other identifiers;
- (ii) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
- (iii) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect
- (iv) restricting access to active users and active user accounts only; and
- (v) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
(2) Secure access control measures that:
- (i) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
- (ii) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
(3) To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly.
(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;
(5) Encryption of all personal information stored on laptops or other portable devices;
(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.
Visit us at www.ePrivacyAwareness.com or contact us at info@ePrivacyAwareness.com to get help with your Education and Training needs.
No comments:
Post a Comment