201 CMR 17.00 compliance: Fast Guide to the Mass. data protection law

Alexander B. Howard, Associate Editor

After years of extensions, on March 1, organizations that possess the personally identifiable information of Massachusetts residents will have to be in compliance

    Requires Free Membership to View

    Login

with 201 CMR 17.00. Here's a quick look at the long and winding road that the Massachusetts data protection law has traveled:

Originally set for May 2009 and then pushed to January, the deadline for compliance with the nation's most comprehensive data protection law was extended in August for the final time. The change came after the Office of Consumer Affairs and Business Regulation amended the data protection law requirements due to widespread concern in the business community.

"The federal laws, specifically Gramm-Breach Bliley, all adopt a risk-based approach," said Barbara Anthony, Massachusetts undersecretary of consumer affairs, in an interview with SearchCompliance.com. "In amending the regulation, we tried to make clear that these rules would also adopt a risk-based approach. Businesses should write their own plan that takes into account the risk specific to the business. We're setting up a destination, not an approach."

Implementation requirements now specifically take into account a particular business's size, scope, available resources, need for information security and the nature and quantity of data collected or stored.

More resources for
201 CMR 17.00 compliance

201 CMR 17.00 FAQ
OCABR provided a list of frequently asked questions regarding amendments to 201 CMR 17.00.

Mass. 201 CMR 17 Survival Guide
CSOonline.com offers a collection of articles and podcasts to help IT security practitioners and compliance officers find the best approach.

Mass. Data Privacy Law resources from Compliance Week.

In September, the data breach regulation passed a big test in a public hearing. Feedback was positive, with Robert Kramer, vice president for public policy at computer industry trade association CompTIA, declaring, "If it's not the ultimate version, then it's the penultimate one."

Below, find resources with information that compliance officers need to know about the regulation and what they'll need to do to stay clear of penalties.

MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation
The official charged with enforcing the MA 201 CMR 17.00 data protection law says early reporting of potential breaches and cooperation will help firms avoid enforcement action. Even with a broad range of technologies and best practices in place, companies must promptly own up to any potential breach to avoid facing enforcement actions. Scott D. Schafer, chief of the consumer protection division for Massachusetts Office of the Attorney General, said the attorney general will be less likely to bring enforcement action against organizations that cooperate quickly and fully following a breach, prove that a breach was inadvertent and demonstrate ongoing adherence with industry best practices for data protection.

Interpreting 'risk' in the Massachusetts data protection law
One of the key practical issues is how to interpret the regulation's "risk-based" language, and how to apply it to an organization's particular set of circumstances. This is ultimately a legal question, making it extremely important for a company's security team to engage its legal team when developing a compliance plan. Without legal training, it will be difficult for security professionals to know how the courts, regulators and potential plaintiff's attorneys will interpret and apply the regulation. David Navetta looks at key risk-based aspects of the regulation that your compliance and legal teams will need to be prepared for.

Implementing compliance with the Massachusetts data protection act
Expert Richard Mackey explains how to implement compliance with the Massachusetts data protection act.

State data protection laws offer opportunity for proactive companies
Many analysts believe the commonwealth's decision to make firms take a proactive, policy- and procedure-based approach to data protection is the wave of the future, likening 201 CMR 17.00 to California's groundbreaking data breach notification law passed in 2003. First, they say, do a security assessment to identify risks because the next step -- creating the written information security program -- is a big project.

Let us know what you think about the story; email editor@searchcompliance.com. Follow @ITCompliance for compliance news throughout the week.

This was first published in February 2010

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top