Every organization must take reasonable measures to protect personal information of others. We work with a number of businesses in Massachusetts and in this state, you must adhere to the standards defined in 201 CMR 17.00. Essentially this applies to any business that has employees/contractors and most certainly applies if you work in an industry that uses personal information such as a Social Security numbers or bank account information (even occasionally). Most states have similar laws.
It’s important to clarify – this applies to nearly every business. You don’t need to be a bank or hospital to be legally bound to these rules. If you have employees fill out an I9, you have personal information. If you have direct deposit account details, you have personal information. If you have any data that could create a risk of identity theft of others (even to just one person), you need adhere to these standards.
As a technology service provider, we help our customers maintain compliance using our expertise, suite of tools, and guidance. In the case of 201 CMR 17.00, let’s dive deeper into the requirements for this state law.
The goal of the law is the protection of personal information for residents of Massachusetts to prevent against identity theft and fraud. The requirements for organizations are:
- implementing minimum standards to be met safeguarding personal information in paper and electronic records
- being consistent with industry standards
- protection against anticipated threats
- protection against unauthorized access or use of this data
In summary, we need to implement methods (mostly technically based) to reduce exposure.
This all starts with a written plan that addresses appropriate safeguards. These plans should focus on administrative, technical, and physical protection. These plans should be “appropriate” based on the industry, amount of data, and amount of resources. The good news is that we need to be reasonable. The bad news is that these efforts do take time and resources to implement.
This plan (reviewed annually), must identify internal and external risks. We need to think about where your data is stored and who has access to it. We need to make sure employees are aware of this, are compliant with these requirements, and that we have a means of detecting and preventing failures.
Other things we must do:
- Develop security policies for storage, access, and transport of data outside of business premises. This can be detailed in a general industry or workflow document.
- Impose disciplinary measures for violations of the information security program rules. These measures are not defined by the state so use your imagination.
- Take reasonable steps to ensure third-party service providers that have access to this data can maintain appropriate security measures. Require these third parties by contract to implement and maintain appropriate security measures for personal information. Let’s make sure all of our vendors and contracts have some agreed language to protect our data.
- Must have reasonable restrictions on physical access. Do we have unlocked file cabinets or backup drives that can be grabbed?
- Regularly monitoring to ensure the plan is operating in a manor “reasonably calculated” to prevent unauthorized access or use. This is something your IT provider can help with. Do you know if your devices are patched and encrypted? Regular monitoring does not include set and forget.
- Reviewing the scope of security measures annually. A quick meeting to discuss new software tools and data locations may reveal changes necessary to compliance.
- Documenting responsive actions taken in connection with breach and making changes to business practices. Let’s make sure we have a paper trail if we do run into problems.
201 CMR 17.00 defines a number of specific technical areas that need to be adhered to. They require a computer security system and solution set that is “technically feasible”. The industry standard for most businesses includes regular monitoring and reporting of IT security. This is reasonable and expected. Are you getting this from your IT?
The key technical guidelines include implementing:
- Secure password policy on devices and platforms. This needs to be programmatically defined so users cannot change their password to something insecure.
- Blocking access after multiple unsuccessful attempts. Are you getting notified of these events?
- Encryption of laptops
- Utilizing encrypted networks and VPNs
- Monitoring of unauthorized access to personal data
- Reasonably up to date firewall and OS security patches
- Reasonably up to date version of security software which must protect against malware, viruses. Software must be current and supported.
TechTonic can help you maintain compliance with 201 CMR 17.00. We have guidelines that can help you create the written plan, and the technical backend to prevent, detect, and contain exposure.
Scott Morabito is a technologist and founder of TechTonic. He was trained as a computer scientist and resides in Concord MA.