The Massachusetts data security regulations require that businesses develop, implement and maintain a comprehensive written data security program to protect the "Personal Information" of Massachusetts residents. The program contemplated under the regulations requires, among other things, identifying risks to Personal Information and evaluating safeguards, appointing an employee or employees to maintain the program, developing written security policies for electronic and physical files, and regularly monitoring the program. These regulations must be implemented even if security problems never arise.
Who does this affect?
All persons who store or manage Massachusetts residents' Personal Information.
How do I know if I am affected?
If you or your business stores ANY physical files OR electronic data, which contain a Massachusetts resident's Personal Information, including data stored on computers, laptops, external media, Internet, or even in a filing cabinet, you are required to comply with the CMR 17 regulations.
Why was this law passed?
We have all heard about the data breaches experienced by large companies such as TJX and costs related to the security breach, including class-action litigation arising from the damages caused to the individuals whose identity was stolen. Small to mid-size businesses are not expected to take the same steps a company such as TJX would need to take in order to protect Personal Information. However, if there is an audit or a security breach, the chances of liability increase greatly for companies who did not take reasonable steps to comply with the law and regulations.
When is the deadline?
The deadline for WISP compliance is now March 1, 2010.
What is a WISP?
WISP is Written Security Information Program, which details steps you have taken and procedures you have implemented to ensure compliance with the CMR 17 requirements. This document will list person(s) responsible for keys to cabinets, policy procedures for storing and processing personal data, personnel security level on the network, anti-virus licensing expiration management, firewall administration and security level, and various aspects of the necessary documentations..
How do I become compliant?
Through a coordinated effort utilizing software and business processes, we can help you take the steps necessary to comply with 201 CMR 17.00, so to ensure that no one else will have access to your data!