A new Massachusetts data protection law is one of the most comprehensive in the world. In this podcast from SearchCompliance.com, Alexander Howard interviews Gerry Young, CIO of the Massachusetts Office of Consumer Affairs and Business Regulation, and David Murray, general counsel at the same office. Both state officials discuss the details of 201 CMR 17: Standards for The Protection of Personal Information of Residents of the Commonwealth, including what businesses need to know and what IT compliance means in the context of the regulation.
Download for later:
- Internet Explorer: Right Click > Save Target As
- Firefox: Right Click > Save Link As
The law was originally set to take effect Jan. 1. Given the macroeconomic climate that the state has endured during the past four months, however, the deadline for compliance with the Massachusetts data protection and encryption law was extended to May 1 and then again to Jan. 1, 2010.
Encryption of personally identifiable information on portable devices like laptops, personal digital assistants, smartphones and flash drives must also be completed by Jan. 1, according to the Massachusetts Office of Consumer Affairs and Business Regulation. You can download the amended version of 201 CMR 17 as a PDF.
After Jan. 1, the new regulation mandates data protection standards that must be met by all persons who own, license, store or maintain personal information about a resident of the commonwealth of Massachusetts. The law is meant to protect against anticipated threats or hazards to the security or integrity of such information, and against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud against such residents.
In the meantime, experts at SearchSecurity.com suggest you encrypt now to meet the new data protection law, as its regulations indicate that the personal identifiable information (PII) must be protected where ever it resides.
When you listen to the podcast, you'll learn the answers to the following questions:
1. Can you talk about what prompted this legislation? (1:05)
2. What are some best practices that CIOs, chief technology officers and system administrators should follow in achieving and maintaining IT compliance with the new law? (1:44)
3. The broad parameters of the law include secure user authentication protocols, secure access control measures, encyrption on all networks where data is transmitted wirelessly, monitoring encryption of portable devices, firewall protection of databases containing PII, systems security software and education and training. As the state has noted, this law applies to huge enterprises, like EMC, all the way down to mom-and-pop coffee shops and other small businesses that may have wireless networks and take credit cards. Will the commonwealth provide classes or other help? If so, how will the commonwealth address concerns about the cost of encryption software or firewalls? (3:05)
4. Are you posting where you'll be appearing to educate people further? (View the schedule at Mass.gov) (4:10)
5. What should businesses expect from the commonwealth? How can business owners make the process as painless as possible? (5:05)
7. The new law states that "Every person that owns, licenses, stores or maintains personal information about a resident of the commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information." What will such a plan look like, and how should small businesses and large enterprises approach creating and maintaining one? (6:25)
8. The provisions of this regulation apply to all persons who own, license, store or maintain personal information about a resident of the commonwealth. Will the regulation affect financial entities, healthcare organizations and businesses across state or national borders?
9. What are your plans to educate software companies and developers that create software that enables encryption, firewalls or other compliance-related applications? Will there be a certification process?
This was first published in February 2009