Massachusetts MGL93H or 201CMR17 have not been widely publicized despite originally being scheduled to go into effect on January 1, 2009 and many small business owners that I talk to each day in Massachusetts and around the country have no idea what they are and how they might impact their business in the future, but they will.
How Do These Two Pieces of Legislation Work?
MGL 93H means to define security breaches and regulations for the safeguarding of personal information of any Commonwealth of Massachusetts resident. While MGL93H sets in fact that there is indeed a law on the books to deal with security breaches, the regulation 201 CMR 17.00 that will go into effect on January 1, 2010 implements the provisions of the law and describes what you need to have in place in order to achieve compliance.
What Does 201 CMR 17 Mean For My Business?
201 CMR 17.00 essentially sets minimum standards for the protection of the personal information of any Massachusetts resident, whether it is stored in paper or electronic format. This response to the explosion in identity theft is an effort to ensure that anyone that owns, licenses, stores, or maintains information about a Massachusetts resident must follow a set of requirements to protect that data from those that might use it inappropriately or illegally. What must be considered is if and how these regulations will impact your business. If you take information about your customers, employees or even contract help (that reside in Massachusetts) such as their name, along with:
- Social Security number
- Credit card number
- Driver’s license information
- Other state issued identification information
and hold it in paper format or a database for any purpose – then these regulations will affect you and you must take steps to comply.
If you accept credit cards for instance, you will collect either an imprint of the card or the data from the magnetic stripe. With this information you will complete your
transaction and keep a record or at the very least have that data pass through your network to a third party card service provider. For many business owners the first reaction is I do not save this information, so it does not apply to me. The potential issue is collecting and transmitting the personal credit card information and the fact that your employees have access to it during the transaction.
If you are located in the Commonwealth of Massachusetts or have employees who reside there and you keep employment applications, a copy of a driver’s license, a personel file or payroll information on them than 201 CMR 17 applies to you and you must comply.
When I tell this to small business owners their first reaction is more government regulations that will require more technology and more costs that they can not afford right now. The problem is that your customers are your life’s blood and you need to protect them and their information. No small business can afford the cost or implications of a data breach. Aside from the obvious fines that might be imposed by the state and the legal costs and remediation costs associated with a breach, there is an even greater cost, one that could cost your entire business – the trust of your customer and the reputation of your business.
So What Do I Have To Do?
CMR 201 17.00 says specifically that those that own, license, store, or maintain information (in any way) about a MA resident shall develop, implement, maintain and monitor a comprehensive, written information security plan (WISP), applicable to any records containing such personal information. In addition to creating and maintaining a WISP, you will need to identify the components of the program that will include:
- Designate one or more employees to maintain the comprehensive information security program.
- Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information.
- Develop security policies for employees.
- Limit the amount of personal information collected.
- Identify paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to determine which records contain personal information, and seven other points that address the duty to protect personal information.
201 CMR 17.00 goes further and describes the methodologies that are expected to be complied with when considering the technology that you use. In this section of the regulations entitled Computer System Security Requirements, the state has outlined the technology requirements in order to be compliant. These requirements include:
- Securing user authentication protocols
- Securing access control measures such that restrict access to records as well as manage passwords and users.
- Encrypting data during transmission as well as any data on mobile devices such as laptops and PDAs.
- Ensuring that there are current versions of security software such as anti-virus on systems.
- Training employees about information security
The bottom line is that these new regulations not only serve to require that you have a set of policies and proceedures in place for effectively managing your information security, but actually directs you on what needs to be in place for technology compliance.
A great deal of the personal information that is compromised is stolen while stored or transmitted electronically, but this critical data can also be stolen for
the use in committing a crime while stored on paper in a file cabinet or if it has been improperly disposed of in a dumpster. The goal of MA MGL 93H and 201 CMR 17.00 is to change how a business views personal information and takes steps for its proper collection, use, storage, transport and destruction.
Compliance for a small business does not have to be cost prohibitive, but depending on the size and scope of your organization, changes may be necessary. To learn more about 201 CMR 17 and developing a WISP for your company go to www.201CMR17Solutions.com.