The New Mass. Data Protection Law— and What it Means for Your Organization

By: Jason Rush | February 17th, 2010 | Technology | 1 Comment

Lately at Boston Interactive, we’ve been flooded with questions regarding the new data protection law in Massachusetts and what it means for organizations and their websites. Whether or not your business is located in Massachusetts, this law may have implications for how your organization handles its data, so it’s important to be aware of its requirements. The law is officially titled 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH (Data Protection Law). It was passed in September, 2008 and after several delays, will go into effect March 1, 2010.

The law “establishes minimum standards to be met by people who own or license personal information about a resident of the Commonwealth of Massachusetts” (201 CMR 17.01). What this means is that if you or your company handle Personal Information for anyone living in Massachusetts (employee or customer, even if your company is not based in Massachusetts) you are legally obligated to abide by the Data Protection Law. If this data is being collected through your website, certain standards will need to be put in place.

Personal Information (PI) is defined as a Massachusetts resident’s first and last name or first initial and last name in combination with any of the following: Social Security number, driver’s license number or state ID number, or financial account number such as credit or debit cards or bank account numbers. Most e-commerce sites will be affected by these regulations in addition to non-profit organizations accpeting online donations.

In a nutshell the law says you must:

  1. Designate at least one employee to maintain the comprehensive information security program.
  2. Identify and assess reasonably foreseeable internal and external risks regarding security, confidentiality, and the integrity of all records, paper and electronic, that contain PI and evaluate and improve the effectiveness of the current safeguards for limiting such risks
  3. Develop security policies that impose disciplinary measures for violations to said policy
  4. Prevent terminated employees from accessing records containing PI
  5. Store any documents (paper or electronic) containing PI in a locked facility or storage area
  6. Review the security policy annually and update as needed
  7. Document actions taken in connection with any incident involving a breach of security (201 CMS 17.03)

There are also “Computer System Security Requirements” which are discussed in section 17.04. They are as follows:

  1. Secure user authentication protocols including:
    a. control and store, in a secure manner, user IDs and other identifiers
    b. reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices
    c. block access to user identification after multiple unsuccessful attempts to gain access
  2. Secure access control measures that:
    a. restrict access to records and files containing personal information to those employees who need such information to perform their job duties
    b. assign unique id’s and passwords, which are not vendor supplied default passwords, to each person with computer access
  3. Encryption of all transmitted records and files containing personal information that will travel wirelessly or across public networks
  4. Reasonable monitoring of systems, for unauthorized use of or access to personal information
  5. Encryption of all personal information stored on laptops or other portable devices
  6. Ensure firewall protection and operating system security patches are up to date and are reasonably designed to maintain the integrity of the personal information
  7. Reasonably up-to-date versions of malware protection and patches and virus definitions
  8. Educate and train your employees on the proper use of the computer security system and the importance of personal information security

The full article of legislation can be found here.

Hopefully this quick breakdown has helped you to better understand the Massachusetts Data Protection Law and how it affects your business. We realize that this law is overwhelming for many and we’ve only begun to scratch the surface here. There are numerous events, online presentations, and webinars available to help organizations understand and comply with this law.

If you have questions about the law (and who doesn’t?) leave them here and we’ll do our best to get you an answer.

Share:
  • E-mail this story to a friend!
  • Print this article!
  • Google
  • Facebook
  • LinkedIn
  • Digg
  • del.icio.us
  • StumbleUpon
  • Sphinn
  • Reddit
  • Technorati
  • Live
  • NewsVine
  • TwitThis
  • Design Float
1 Comment so far
  1. Jason March 4th, 2010 8:27 PM

    Good post… there is another take on the Mass 201 law here: http://blog.maas360.com/massLaw

    … wondering if this will become a trend?

Leave a Comment

Make sure you enter the * required information where indicated. Comments are moderated - and rel="nofollow" is in use. Please no link dropping, no keywords or domains as names; do not spam, and do not advertise.




*