Massachusetts 201 CMR 17.00 imposes "Protection of Personal Identity Information".

      1 Comment on Massachusetts 201 CMR 17.00 imposes "Protection of Personal Identity Information".

A month ago, I had a chance to meet with John Beveridge (Deputy State Auditor at Office of the State Auditor of Massachusetts) at an ISACA event in Boston. During a casual chat, he briefly mentioned about the upcoming regulation highlighting “Mass 201 CMR 17.00 – Massachusetts Standards for Data Protection of Personal Information”  and it’s compelling security requirements !  With all curiousity…I had my first dig at Mass 201 CMR 17.00 last week… it is the toughest data protection law so far (as a Govt initiative for preventing identity theft).. I am quite amazed by the stringent rules imposed by this regulation for protecting the personal identity information of Massachusetts residents. I am not a lawyer or an auditor by profession…so here is a my layman interpretation of the regulation and its dictated requirements for securing personal identity information.

  • Comprehensive Information Security Program mandates ALL businesses that deals with personal identity information of Massachusetts residents  (in paper and electronic forms)  to provide  comprehensive documentation of all practiced security measures taken for preventing unauthorized access and ensuring confidentiality and integrity of the personal identity information.
    • Access control policies and rules for all employees who have access to identity information and enforce disciplinary action on those who violated the rules.
    • Upon employee termination, all physical and logical access privileges must be instantly revoked.
    • Third-party service providers need to comply with the Information security program and it requires a contractual binding before providing them access to personal information.
    • Identification of media including Laptops and PDA devices that store identity information and written procedures detailing how the physical access to those media is restricted.
    • Monitoring to verify the information security is operational preventing unauthorized access and support putting safeguards for minimizing both internal and external risks.
    • Require atleast an annual review and also whenever there is a material change has occurred in the business practices that relates to security and integrity of the information.
    • Documentation of incidents, response actions and post-incident review of events and actions.
  • Secure User Authentication
    • Control of user identifiers and secure methods for selecting and assigning passwords.
    • Use of authentication technologies such as Token devices and Biometrics.
    • Restricting access to active users only.
    • Blocking access to multiple unauthorized access attempts.
  • Data Encryption for all personal information in transit and storage.
    • Encryption of all records/files in storage (Laptops/other media) and transmitted over the wired/wireless networks.
  • Firewall protection and Operating System Security Patches must be updated to support maintain the integrity of personal identity information.
  • Malware and Virus protections ensuring all patches and definitions are updated on regular basis.
  • Education and employee awareness training on the Information security program and practices.

Mass 201 CMR 17 data protection requirements aligns well with Federal Trade Commission’s Red Flag rules on Identity Theft Prevention. Some of the security practices has already been in use at many big companies addressing PCI-DSS, GLBA and HIPAA requirements. At the outset, this is a big business boost to Security architects and consulting companies deal with providing Information Security and identity management infrastructure and solutions.  This regulation supposed to be effective on Jan 1, 2009 and now for some reasons the deadline is extended till May 1, 2009 – Not sure it helps everyone – but the deadline for compliance is chasing and not too far !

1 thought on “Massachusetts 201 CMR 17.00 imposes "Protection of Personal Identity Information".

  1. Tom Considine, CIPP

    Ramesh,
    Thanks for the great infomation. Here’s some info that may help your readers with this law.

    Compliance with 201 CMR 17 doesn’t have to be difficult or complex, it requires a plan of attack and a bit of knowledge or training to accomplish your goals.

    Below are my procedures to help you begin the development of the Computer Systems Security Portion of your Written Information Security Program (WISP), it starts with the Risk Assessment survey.

    Some of you may have seen the below post from another group regarding 201 CMR 17. If you have, nothing’s changed…

    I would start the process by asking some simple questions.

    Physically-where is the data kept and how do you protect it from unauthorized access? If it’s on paper or media like a CD or tapes how do you keep track of who has access to it during normal daily operations? How and where do you store it when it’s not in use? How do you decide who has/needs access to it and who doesn’t need access to it? How do you destroy it when it’s no longer needed? Are your team members given security awareness training so they are aware of the threats to your business? Do you check your trash to make sure that protected data is not mistakenly discarded?

    Logically- If you have some or no established programs at all, you “MUST” conduct a risk assessment survey identifying; what sensitive information you have, where you have it, and how you plan to protect it.

    If the data is on a desktop or network what protective measures are in place? Do you use a firewall and antivirus protections? What are your policies on patches and hot fixes that the hardware and software manufacturers recommend for known vulnerabilities? Do you have a password policy? Is the physical security of the spaces containing ADP adequate? How often do you read your logs, or audit who has been accessing the protected data and how are they using it?

    After you complete all the tasks above; you have just completed your ADP risk assessment! Now you implement the procedures necessary for identified risks based on industry best standards.

    * Document as a policy the procedures how staff members are to utilize ADP in their day-to-day operations.
    * Train your staff on the procedures established, and what’s expected of them, don’t forget to have them sign an acknowledgement of understanding, which includes disciplinary actions for failure to adhere to the requirements of the policy.

    Congratulations! You have just created one portion of your Written Information Security Program (WISP).

    Bottom line is; if you don’t ask questions on how the protection process works, can you have any confidence that your business will survive even if it is never audited? The law just requires that you take common sense steps to protect the information that your customers have entrusted to you.

    Properly conducting the risk assessment, combined with some solid Lean Six Sigma practices, you will reduce duplicated operations and storage of unnecessary PI which helps to protect your business.

    If some, none, or all of this makes no sense to some of you reading it, and you’d like to learn more on simplifying the compliance process, visit our website at http://www.TCIPP.com.

    I Hope this help you get on the right road to compliance!

    Regards,

    Tom Considine, CIPP
    Tom Considine & Associates
    Information Privacy Professionals

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *