Standards for the Protection of Personal Information

Brian St. Marie – Sr. Systems Engineer

Many people may be familiar with 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, the Massachusetts data privacy law which went into effect March 1st, 2010; all companies which work with the personal information of Massachusetts residents were required to be fully compliant by this date.  Unfortunately, for many small and medium businesses, understanding and implementing this law has been a rather difficult and confusing process.  Many businesses may not even realize the law applies to them.  The law applies to any company which stores or uses personal information of a Massachusetts resident, which is defined as follows:

"...a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account..."

Luckily, has done quite a bit of auditing and compliance reviewing for clients in regards to this new law, helping them to recognize where their processes need to change and ensuring they become compliant.  This week, I helped a CPA firm implement all the changes recommended by their security audit.

In particular, the law requires individual employees each have personal network accounts with complex passwords and that user rights be restricted to information strictly necessary for them to complete their jobs.  In addition, data encryption is necessary for any portable devices or storage which may move around or out of the office.  Likewise, access to any personal client data, physical or electronic, must be protected whenever not in use by an authorized employee.  These are just a few examples of the requirements of the new law.

While the law can be quite a hurdle for many businesses, it isn't as strict as many other laws or guidelines, such as HIPAA or PCI.  Nonetheless, the requirements should be taken seriously; if the personal information of your clients is ever compromised, you could be held legally responsible for that breach, unless you can show a reasonable effort to comply with 201 CMR 17.00.

If you're unsure if you're compliant, be sure to review the 201 CMR 17.00 Compliance Checklist and verify you can answer yes to all the questions.  If you cannot, or are unsure, feel free to Contact Us and a engineer will be happy to help you review your current network and ensure your company is compliant.