Podcast: New Massachusetts data protection law mandates IT compliance

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Managing governance and compliance Sorting through GRC framework questions What MOF, ISO 2700x and PCI DSS can mean for your compliance strategy Real-time compliance, social networking and the cloud highlight RSA What's a risk management strategy worth to your S&P credit rating? Find unexpected vulnerabilities to ensure cloud compliance Congress hears testimony on location-based services and online privacy Private Sector Preparedness Program provides business continuity options Applying the ISO 27005 risk management standard Schmidt: Apply risk management to the nation's cybersecurity threats Business method patents ruling could spell relief from patent trolls Data retention and compliance software Improving regulatory compliance management through log analysis, SIEM Which SIEM system is right for regulatory compliance in my company? Brokerage invests in social media archiving for FINRA compliance Data loss prevention technology matures but is still no cure-all Record locator service a step to health information exchange Be ready for electronic discovery with a records retention policy Discovery process puts onus on electronic records management tools Voices from RSA: CA's Dave Hansen on compliance strategy Biometric security data adds layer of privacy compliance risk How State Farm saves millions on electronic data discovery

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary IT controls  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

The law was originally set to take effect Jan. 1. Given the macroeconomic climate that the state has endured during the past four months, however, the deadline for compliance with the Massachusetts data protection and encryption law was extended to May 1 and then again to Jan. 1, 2010.

Encryption of personally identifiable information on portable devices like laptops, personal digital assistants, smartphones and flash drives must also be completed by Jan. 1, according to the Massachusetts Office of Consumer Affairs and Business Regulation. You can download the amended version of 201 CMR 17 as a PDF.

After Jan. 1, the new regulation mandates data protection standards that must be met by all persons who own, license, store or maintain personal information about a resident of the commonwealth of Massachusetts. The law is meant to protect against anticipated threats or hazards to the security or integrity of such information, and against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud against such residents.

In the meantime, experts at SearchSecurity.com suggest you encrypt now to meet the new data protection law, as its regulations indicate that the personal identifiable information (PII) must be protected where ever it resides.

When you listen to the podcast, you'll learn the answers to the following questions:

1. Can you talk about what prompted this legislation? (1:05)

2. What are some best practices that CIOs, chief technology officers and system administrators should follow in achieving and maintaining IT compliance with the new law? (1:44)

3. The broad parameters of the law include secure user authentication protocols, secure access control measures, encyrption on all networks where data is transmitted wirelessly, monitoring encryption of portable devices, firewall protection of databases containing PII, systems security software and education and training. As the state has noted, this law applies to huge enterprises, like EMC, all the way down to mom-and-pop coffee shops and other small businesses that may have wireless networks and take credit cards. Will the commonwealth provide classes or other help? If so, how will the commonwealth address concerns about the cost of encryption software or firewalls? (3:05)

4. Are you posting where you'll be appearing to educate people further? (View the schedule at Mass.gov) (4:10)

5. What should businesses expect from the commonwealth? How can business owners make the process as painless as possible? (5:05)

7. The new law states that "Every person that owns, licenses, stores or maintains personal information about a resident of the commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information." What will such a plan look like, and how should small businesses and large enterprises approach creating and maintaining one? (6:25)

8. The provisions of this regulation apply to all persons who own, license, store or maintain personal information about a resident of the commonwealth. Will the regulation affect financial entities, healthcare organizations and businesses across state or national borders?

9. What are your plans to educate software companies and developers that create software that enables encryption, firewalls or other compliance-related applications? Will there be a certification process?